Stay organized with collections Save and categorize content based on your preferences.
HtmlOutputAn HtmlOutput object that can be served from a script. Due to security considerations, scripts cannot directly return HTML to a browser. Instead, they must sanitize it so that it cannot perform malicious actions. You can return sanitized HTML like this:
function doGet() {
return HtmlService.createHtmlOutput('<b>Hello, world!</b>');
}
The code in the
HtmlOutput
can include embedded JavaScript and CSS. (This is standard client-side JavaScript that manipulates the DOM, not Apps Script). All of this content is sandboxed using
iframe sandboxing. For more information, see the
guide to restrictions in HTML service.
Methods Method Return type Brief descriptionaddMetaTag(name, content) HtmlOutput Adds a meta tag to the page. append(addedContent) HtmlOutput Appends new content to the content of this HtmlOutput. appendUntrusted(addedContent) HtmlOutput Appends new content to the content of this HtmlOutput, using contextual escaping. asTemplate() HtmlTemplate Returns an HtmlTemplate backed by this HtmlOutput. clear() HtmlOutput Clears the current content. getAs(contentType) Blob Return the data inside this object as a blob converted to the specified content type. getBlob() Blob Return the data inside this object as a blob. getContent() String Gets the content of this HtmlOutput. getFaviconUrl() String Gets the URL for a favicon link tag added to the page by calling setFaviconUrl(iconUrl). getHeight() Integer Gets the initial height of the custom dialog in Google Docs, Sheets, or Forms. getMetaTags() HtmlOutputMetaTag[] Gets an array of objects that represent meta tags added to the page by calling addMetaTag(name, content). getTitle() String Gets the title of the output page. getWidth() Integer Gets the initial width of the custom dialog in Google Docs, Sheets, or Forms. setContent(content) HtmlOutput Sets the content of this HtmlOutput. setFaviconUrl(iconUrl) HtmlOutput Adds a link tag for a favicon to the page. setHeight(height) HtmlOutput Sets the initial height of the custom dialog in Google Docs, Sheets, or Forms. setSandboxMode(mode) HtmlOutput This method now has no effect — previously it set the sandbox mode used for client-side scripts. setTitle(title) HtmlOutput Sets the title of the output page. setWidth(width) HtmlOutput Sets the initial width of a custom dialog in Google Docs, Sheets, or Forms. setXFrameOptionsMode(mode) HtmlOutput Sets the state of the page's X-Frame-Options header, which controls clickjacking prevention. Detailed documentation append(addedContent)
Appends new content to the content of this HtmlOutput. Use this only for content from a trusted source, because it is not escaped.
// Log "<b>Hello, world!</b><p>Hello again, world.</p>"
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.append('<p>Hello again, world.</p>');
Logger.log(output.getContent()); Parameters Name Type Description addedContent String The content to append. Return
HtmlOutput — This output, for chaining.
Error — if the HTML is malformed
appendUntrusted(addedContent)
Appends new content to the content of this HtmlOutput, using contextual escaping.
This method correctly escapes content based on the current state of the HtmlOutput, so that the result is a safe string with no markup or side affects. Use this instead of using append whenever you are adding content from an untrusted source, such as from a user, to avoid accidentally allowing a cross site scripting (XSS) bug where content or markup that you append causes unexpected code execution.
// Log "<b>Hello, world!</b><p>Hello again, world.</p>"
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.appendUntrusted('<p>Hello again, world.</p>');
Logger.log(output.getContent()); Parameters Name Type Description addedContent String The content to append. Return
HtmlOutput — This output, for chaining.
Error — if the HTML is very malformed
asTemplate()
Returns an HtmlTemplate backed by this HtmlOutput. This method can be used to build up a template incrementally. Future changes to HtmlOutput affect the contents of the HtmlTemplate as well.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
const template = output.asTemplate(); Return
HtmlTemplate — The new HtmlTemplate.
clear()
Clears the current content.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.clear(); Return
HtmlOutput — This output, for chaining.
getAs(contentType)
Return the data inside this object as a blob converted to the specified content type. This method adds the appropriate extension to the filename—for example, "myfile.pdf". However, it assumes that the part of the filename that follows the last period (if any) is an existing extension that should be replaced. Consequently, "ShoppingList.12.25.2014" becomes "ShoppingList.12.25.pdf".
To view the daily quotas for conversions, see Quotas for Google Services. Newly created Google Workspace domains might be temporarily subject to stricter quotas.
Parameters Name Type DescriptioncontentType String The MIME type to convert to. For most blobs, 'application/pdf' is the only valid option. For images in BMP, GIF, JPEG, or PNG format, any of 'image/bmp', 'image/gif', 'image/jpeg', or 'image/png' are also valid. For a Google Docs document, 'text/markdown' is also valid. Return
Blob — The data as a blob.
getBlob()
Return the data inside this object as a blob.
ReturnBlob — The data as a blob.
getContent()
Gets the content of this HtmlOutput.
// Log "<b>Hello, world!</b>"
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
Logger.log(output.getContent()); Return
String — The content that is served.
getFaviconUrl()
Gets the URL for a favicon link tag added to the page by calling setFaviconUrl(iconUrl). Favicon link tags included directly in an Apps Script HTML file are ignored.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setFaviconUrl('http://www.example.com/image.png');
Logger.log(output.getFaviconUrl()); Return
String — The URL of the favicon image.
getHeight()
Gets the initial height of the custom dialog in Google Docs, Sheets, or Forms. If the HtmlOutput is published as a web app instead, this method returns null. To resize a dialog that is already open, call google.script.host.setHeight(height) in client-side code.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setHeight(200);
Logger.log(output.getHeight()); Return
Integer — The height, in pixels.
getTitle()
Gets the title of the output page. Note that the <title> HTML element is ignored.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
Logger.log(output.getTitle()); Return
String — The title of the page.
getWidth()
Gets the initial width of the custom dialog in Google Docs, Sheets, or Forms. If the HtmlOutput is published as a web app instead, this method returns null. To resize a dialog that is already open, call google.script.host.setWidth(width) in client-side code.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setWidth(200);
Logger.log(output.getWidth()); Return
Integer — The width in pixels.
setContent(content)
Sets the content of this HtmlOutput.
const output = HtmlService.createHtmlOutput();
output.setContent('<b>Hello, world!</b>'); Parameters Name Type Description content String The content to serve. Return
HtmlOutput — This output, for chaining.
Error — if the HTML is malformed
setFaviconUrl(iconUrl)
Adds a link tag for a favicon to the page. Favicon link tags included directly in an Apps Script HTML file are ignored.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setFaviconUrl('http://www.example.com/image.png'); Parameters Name Type Description iconUrl String The URL of the favicon image, with the image extension indicating the image type. Return
HtmlOutput — This output, for chaining.
setHeight(height)
Sets the initial height of the custom dialog in Google Docs, Sheets, or Forms. If the HtmlOutput is published as a web app instead, this method has no effect. To resize a dialog that is already open, call google.script.host.setHeight(height) in client-side code.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setHeight(200); Parameters Name Type Description height Integer The new height in pixels; null results in a default value. Return
HtmlOutput — This output, for chaining.
setSandboxMode(mode)
This method now has no effect — previously it set the sandbox mode used for client-side scripts. To protect users from being served malicious HTML or JavaScript, client-side code served from HTML service executes in a security sandbox that imposes restrictions on the code. Originally this method allowed script authors to choose between different versions of the sandbox, but now all scripts now use IFRAME mode regardless of what sandbox mode is set. For more information, see the guide to restrictions in HTML service.
The IFRAME mode imposes many fewer restrictions than the other sandbox modes and runs fastest, but does not work at all in certain older browsers, including Internet Explorer 9. The sandbox mode can be read in a client-side script by inspecting google.script.sandbox.mode. Note that this property returns the actual mode on the client, which may differ from the mode requested on the server if the requested mode is not supported in the user's browser.
<!-- Read the sandbox mode (in a client-side script). --> <script> alert(google.script.sandbox.mode); </script>Parameters Name Type Description
mode SandboxMode The sandbox mode to use. Return
HtmlOutput — This output, for chaining.
setTitle(title)
Sets the title of the output page. For web apps, this is the title of the entire page, while for HtmlOutput shown in Google Sheets, this is the dialog title.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setTitle('My First Page'); Parameters Name Type Description title String The new title. Return
HtmlOutput — This output, for chaining.
setWidth(width)
Sets the initial width of a custom dialog in Google Docs, Sheets, or Forms. If the HtmlOutput is published as a web app instead, this method has no effect. To resize a dialog that is already open, call google.script.host.setWidth(width) in client-side code.
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setWidth(200); Parameters Name Type Description width Integer The new width in pixels; null results in a default value. Return
HtmlOutput — This output, for chaining.
setXFrameOptionsMode(mode)
Sets the state of the page's X-Frame-Options header, which controls clickjacking prevention.
Setting XFrameOptionsMode.ALLOWALL lets any site iframe the page, so the developer should implement their own protection against clickjacking.
If a script does not set an X-Frame-Options mode, Apps Script uses XFrameOptionsMode.DEFAULT mode as the default.
// Serve HTML with no X-Frame-Options header (in Apps Script server-side code).
const output = HtmlService.createHtmlOutput('<b>Hello, world!</b>');
output.setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL); Parameters Return
HtmlOutput — This output, for chaining.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-12-03 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-03 UTC."],[[["HtmlOutput lets you safely display custom HTML content within Google Apps Script, preventing security risks."],["It utilizes sandboxing and contextual escaping to protect against malicious code."],["Developers can manipulate the HTML using provided methods, like setting titles, dimensions, and content."],["Strict limitations and security considerations are essential when working with HtmlOutput for user safety."],["Refer to the HTML service guide for a detailed understanding of restrictions and best practices."]]],["`HtmlOutput` objects serve sanitized HTML in Google Apps Script, using an iframe sandbox for security. Key actions include: adding meta tags (`addMetaTag`), appending trusted (`append`) or untrusted (`appendUntrusted`) content, clearing content (`clear`), converting to a template (`asTemplate`), managing dimensions (`setWidth`, `setHeight`), and retrieving content (`getContent`). It also handles favicon setting (`setFaviconUrl`), title setting (`setTitle`) and configuring the `X-Frame-Options` header (`setXFrameOptionsMode`). `appendUntrusted()` prevent Cross Site Scripting (XSS) vulnerabilities. Changes to the `HtmlOutput` affect the template.\n"]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4