Sanitizer

Draft

This page is not complete.

Secure context

This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The Sanitizer interface of the HTML Sanitizer API allows developers to take untrusted strings of HTML, and sanitize them for safe insertion into a document’s DOM.

Constructors

Sanitizer.Sanitizer
Creates and returns a Sanitizer object.

Methods

Sanitizer.sanitizeToString()
Returns a sanitized String from an input, removing any offending elements or attributes.
Sanitizer.sanitize()
Returns a sanitized DocumentFragment from an input, removing any offending elements or attributes.

Examples

This example shows the result of sanitizing a string using the Sanitizer.sanitizeToString() method. Disallowed script and blink elements are removed from the input.

// our input string to clean
const stringToClean = 'Some text <b><i>with</i></b> <blink>tags</blink>, including a rogue script <script>alert(1)</script> def.';

const result = new Sanitizer().sanitizeToString(stringToClean);
console.log(result);
// Logs: "Some text <b><i>with</i></b> <blink>tags</blink>, including a rogue script def."

Specifications

Specification Status Comment
HTML Sanitizer API
The definition of 'sanitizer' in that specification.
Working Draft Initial definition.

Browser compatibility

BCD tables only load in the browser