Sanitizer()

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The Sanitizer() constructor creates a new Sanitizer object, which can be used to sanitize untrusted strings of HTML, or untrusted Document or DocumentFragment objects, making them safe for insertion into a document's DOM.

The default Sanitizer() configuration causes sanitizer operations to strip out XSS-relevant input by default, including <script> tags, custom elements, and comments. The constructor options shown below can be used to customize the sanitizer behavior.

Syntax

new Sanitizer()
new Sanitizer(config)

Parameters

Note: The custom configuration options described here are not yet supported (because at time of writing the sanitizer configuration object is still being defined).

config Optional

A sanitizer configuration object with the following options (referred to as SanitizerConfig in the specification):

allowElements Optional: An Array of strings indicating elements the sanitizer should not remove.
blockElements Optional: An Array of strings indicating elements the sanitizer should remove, keeping their child elements. Child elements are retained.
dropElements Optional: An Array of strings indicating elements the sanitizer should remove, along with their child elements.
allowAttributes Optional: An Array of strings indicating attributes the sanitizer should not remove.
dropAttributes Optional: An Array of strings indicating attributes the sanitizer should remove.
allowCustomElements Optional: A Boolean value set to false (default) to remove custom elements and their children. Set to true to ensure sanitize custom elements using build-in and custom configuration checks.
allowComments Optional: A Boolean value set to false (default) to remove HTML comments. Set to true ensures that comments are retained.

Examples

The example below shows a sanitization operation using the Sanitizer.sanitizeFor() method. This method takes as inputs a string of HTML to sanitize and the context (tag) in which it is sanitized, and returns a sanitized node object for the specified tag. To simplify the presentation the result that is shown is actually the innerHTML of the returned object.

Note: The API only sanitizes HTML in strings in the context of a particular element/tag. For more information see HTML Sanitizer API (and Sanitizer.sanitizeFor()).

This example shows the result of sanitizing a string with disallowed script element using the default sanitizer (in a div context).

let unsanitized = "abc <script>alert(1)</script> def"
const sanitized =  new Sanitizer().sanitizeFor("div", unsanitized);
// Result (innerHTML of 'sanitized'): script will be removed: "abc alert(1) def"

Specifications

Specification
HTML Sanitizer API # dom-sanitizer-sanitizer

Browser compatibility

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	WebView Android	Chrome Android	Firefox for Android	Opera Android	Safari on IOS	Samsung Internet
`Sanitizer`	93	93	83	No	79	No	No	No	No	No	No	No

© 2005–2021 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer/Sanitizer

Name	Web APIs
Version
Badge
Last Updated	2022-04-27T09:33:08Z