Sanitizer
Draft
This page is not complete.
Secure context
This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The Sanitizer
interface of the HTML Sanitizer API
allows developers to take untrusted strings of HTML, and sanitize them for safe insertion into a document’s DOM.
Constructors
Sanitizer.Sanitizer
- Creates and returns a
Sanitizer
object.
Methods
Sanitizer.sanitizeToString()
- Returns a sanitized
String
from an input, removing any offending elements or attributes. Sanitizer.sanitize()
- Returns a sanitized
DocumentFragment
from an input, removing any offending elements or attributes.
Examples
This example shows the result of sanitizing a string using the Sanitizer.sanitizeToString()
method. Disallowed script
and blink
elements are removed from the input.
// our input string to clean
const stringToClean = 'Some text <b><i>with</i></b> <blink>tags</blink>, including a rogue script <script>alert(1)</script> def.';
const result = new Sanitizer().sanitizeToString(stringToClean);
console.log(result);
// Logs: "Some text <b><i>with</i></b> <blink>tags</blink>, including a rogue script def."
Specifications
Specification | Status | Comment |
---|---|---|
HTML Sanitizer API The definition of 'sanitizer' in that specification. |
Working Draft | Initial definition. |
Browser compatibility
BCD tables only load in the browser