Sanitizer: sanitize() method
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The sanitize()
method of the Sanitizer
interface is used to sanitize a tree of DOM nodes, removing any unwanted elements or attributes.
It should be used when the data to be sanitized is already available as DOM nodes.
For example when sanitizing a Document
instance in a frame.
The default Sanitizer()
configuration strips out XSS-relevant input by default, including <script>
tags, custom elements, and comments.
The sanitizer configuration may be customized using Sanitizer()
constructor options.
Note: To sanitize strings, instead use Element.setHTML()
or Sanitizer.sanitizeFor()
.
See HTML Sanitizer API
for more information.
Syntax
js
sanitize(input)
Parameters
input
-
A
DocumentFragment
orDocument
to be sanitized.
Return value
A sanitized DocumentFragment
.
Exceptions
None.
Examples
To sanitize data from an iframe with id userFrame
:
js
const sanitizer = new Sanitizer(); // Default sanitizer;
// Get the frame and its Document object
const frame_element = document.getElementById("userFrame");
const unsanitized_frame_tree = frame_element.contentWindow.document;
// Sanitize the document tree and update the frame.
const sanitized_frame_tree = sanitizer.sanitize(unsanitized_frame_tree);
frame_element.replaceChildren(sanitized_frame_tree);
Specifications
Specification |
---|
HTML Sanitizer API # dom-sanitizer-sanitize |
Browser compatibility
BCD tables only load in the browser