The Sanitizer()
constructor creates a new Sanitizer
object, which can be used to sanitize untrusted strings of HTML, or untrusted Document
or DocumentFragment
objects, making them safe for insertion into a document's DOM.
The default Sanitizer()
configuration causes sanitizer operations to strip out XSS-relevant input by default, including <script>
tags, custom elements, and comments. The constructor options shown below can be used to customize the sanitizer behavior.
new Sanitizer()
new Sanitizer(config)
Note: The custom configuration options described here are not yet supported (because at time of writing the sanitizer configuration object is still being defined).
-
config
Optional
-
A sanitizer configuration object with the following options (referred to as SanitizerConfig
in the specification):
-
allowElements
Optional
-
An Array
of strings
indicating elements the sanitizer should not remove.
-
blockElements
Optional
-
An Array
of strings
indicating elements the sanitizer should remove, keeping their child elements. Child elements are retained.
-
dropElements
Optional
-
An Array
of strings
indicating elements the sanitizer should remove, along with their child elements.
-
allowAttributes
Optional
-
An Array
of strings
indicating attributes the sanitizer should not remove.
-
dropAttributes
Optional
-
An Array
of strings
indicating attributes the sanitizer should remove.
-
allowCustomElements
Optional
-
A Boolean
value set to false
(default) to remove custom elements and their children. Set to true
to ensure sanitize custom elements using build-in and custom configuration checks.
-
A Boolean
value set to false
(default) to remove HTML comments. Set to true
ensures that comments are retained.
The example below shows a sanitization operation using the Sanitizer.sanitizeFor()
method. This method takes as inputs a string of HTML to sanitize and the context (tag) in which it is sanitized, and returns a sanitized node object for the specified tag. To simplify the presentation the result that is shown is actually the innerHTML of the returned object.
This example shows the result of sanitizing a string with disallowed script
element using the default sanitizer (in a div
context).
let unsanitized = "abc <script>alert(1)</script> def"
const sanitized = new Sanitizer().sanitizeFor("div", unsanitized);