-
Notifications
You must be signed in to change notification settings - Fork 22.4k
/
index.md
71 lines (48 loc) · 2.23 KB
/
index.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
---
title: "Element: setHTML() method"
short-title: setHTML()
slug: Web/API/Element/setHTML
page-type: web-api-instance-method
status:
- deprecated
browser-compat: api.Element.setHTML
---
{{APIRef("HTML Sanitizer API")}}{{SecureContext_Header}}{{deprecated_header}}
The **`setHTML()`** method of the {{domxref("Element")}} interface is used to parse and sanitize a string of HTML and then insert it into the DOM as a subtree of the element.
It should be used instead of {{domxref("Element.innerHTML")}} for inserting untrusted strings of HTML into an element.
The parsing process drops any elements in the HTML string that are invalid in the context of the current element, while sanitizing removes any unsafe or otherwise unwanted elements, attributes or comments.
The default `Sanitizer()` configuration strips out XSS-relevant input by default, including {{HTMLElement("script")}} tags, custom elements, and comments.
The sanitizer configuration may be customized using {{domxref("Sanitizer.Sanitizer","Sanitizer()")}} constructor options.
## Syntax
```js-nolint
setHTML(input, options)
```
### Parameters
- `input`
- : A string defining HTML to be sanitized.
- `options` {{optional_inline}}
- : An options object with the following optional parameters:
- `sanitizer`
- : A {{domxref("Sanitizer")}} object which defines what elements of the input will be sanitized.
If not specified, the default {{domxref("Sanitizer")}} object is used.
### Return value
None (`undefined`).
### Exceptions
None.
## Examples
The code below demonstrates how to sanitize a string of HTML and insert it into the `Element` with an id of `target`.
```js
const unsanitized_string = "abc <script>alert(1)<" + "/script> def"; // Unsanitized string of HTML
const sanitizer1 = new Sanitizer(); // Default sanitizer;
// Get the Element with id "target" and set it with the sanitized string.
document
.getElementById("target")
.setHTML(unsanitized_string, { sanitizer: sanitizer1 });
// Result (as a string): "abc def"
```
> **Note:** This example uses the default sanitizer.
> The {{domxref("Sanitizer/Sanitizer","Sanitizer")}} constructor is used to configure sanitizer options.
## Specifications
{{Specifications}}
## Browser compatibility
{{Compat}}