Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The SanitizerConfig dictionary of the HTML Sanitizer API represents a sanitizer configuration object. The configuration specifies what elements, attributes and comments are allowed or should be removed when inserting strings of HTML into an Element or ShadowRoot, or when parsing an HTML string into a Document.
An instance of this type can be passed to the Sanitizer() constructor to configure a Sanitizer, and is returned by Sanitizer.get(). It can also be passed as the option.sanitizer parameter when calling the sanitization methods:
setHTMLUnsafe() or setHTMLUnsafe() on Element.setHTMLUnsafe() or setHTMLUnsafe() on ShadowRoot.Document.parseHTMLUnsafe() or Document.parseHTML() static methods.Note that normally a Sanitizer instance would be passed as the option instead of SanitizerConfig in the above methods, in particular because sanitizer instances are more efficient to share and modify.
elements
An array indicating the elements to allow when sanitizing HTML, optionally also specifying their allowed or removed attributes.
Each element can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the element.
namespace Optional
A string containing the namespace of the element. The default namespace is "http://www.w3.org/1999/xhtml".
attributes Optional
An array indicating the attributes to allow on this (allowed) element when sanitizing HTML.
Each attribute can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the attribute.
namespace Optional
A string containing the namespace of the attribute, which defaults to null.
removeAttributes Optional
An array indicating the attributes to remove on this (allowed) element when sanitizing HTML.
Each attribute can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the attribute.
namespace Optional
A string containing the namespace of the attribute, which defaults to null.
removeElements
An array indicating the elements to remove when sanitizing HTML.
Each element can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the element.
namespace Optional
A string containing the namespace of the element. The default namespace is "http://www.w3.org/1999/xhtml".
replaceWithChildrenElements
An array indicating the elements to replace with their content when sanitizing HTML. This is primarily used to strip styles from text (for example, you could use this to change <b>some text</b> to some text).
Each element can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the element.
namespace Optional
A string containing the namespace of the element. The default namespace is "http://www.w3.org/1999/xhtml".
attributes
An array indicating the attributes to allow when sanitizing HTML.
Each attribute can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the attribute.
namespace Optional
A string containing the namespace of the attribute, which defaults to null.
removeAttributes
An array indicating the attributes to remove from elements when sanitizing HTML.
Each attribute can be specified by name (a string), or as a object with the following properties:
name
A string containing the name of the attribute.
namespace Optional
A string containing the namespace of the attribute, which defaults to null.
true if comments are allowed, and false if they are to be removed.
dataAttributes
true if data attributes are allowed, and false if they are to be removed.
This example shows how you might create an "allow" sanitizer configuration, and in this case pass it to the Sanitizer() constructor.
const sanitizer = new Sanitizer({
elements: ["div", "p", "script"],
attributes: ["id"],
replaceWithChildrenElements: ["b"],
comments: true,
dataAttributes: false,
});
Note that you cannot specify both allow and remove lists in the same configuration without causing an exception when passing the configuration to the constructor or a sanitization method.
Creating a "remove" configurationThis example shows how you might create a "remove" sanitizer configuration, and in this case pass it to the Sanitizer() constructor.
const sanitizer = new Sanitizer({
removeElements: ["span", "script"],
removeAttributes: ["lang", "id"],
comments: false,
});
Note that you cannot specify both allow and remove lists in the same configuration without causing an exception when passing the configuration to the constructor or a sanitization method.
Specifications Browser compatibility api.Sanitizer.get api.Sanitizer.SanitizerRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4