An HTML sanitizer
Clone or download
bors[bot] and mtorromeo Merge #103
103: Implement Display trait for Document r=notriddle a=mtorromeo

As the title says. This is to improve library interoperability and ergonomics so that this is possible `format!("sanitized: {}", ammonia::clean("<a onclick="evil()">link</a>"))` instead of `format!("sanitized: {}", ammonia::clean("<a onclick="evil()">link</a>").to_string())`

Co-authored-by: Massimiliano Torromeo <>
Latest commit 1458ccd Oct 5, 2018

HTML Sanitization

Build Status Crates.IO Requires rustc 1.24.0

Chat: Gitter, Matrix

Ammonia is a whitelist-based HTML sanitization library. It is designed to prevent cross-site scripting, layout breaking, and clickjacking caused by untrusted user-provided HTML being mixed into a larger web page.

Ammonia uses html5ever to parse and serialize document fragments the same way browsers do, so it is extremely resilient to syntactic obfuscation.

Ammonia parses its input exactly according to the HTML5 specification; it will not linkify bare URLs, insert line or paragraph breaks, or convert (C) into ©. If you want that, use a markup processor before running the sanitizer, like pulldown-cmark.


To use ammonia, add it to your project's Cargo.toml file:

ammonia = "1.2.0"


Please see the CHANGELOG for a release history.


Using pulldown-cmark together with Ammonia for a friendly user-facing comment site.

extern crate pulldown_cmark;
extern crate ammonia;
use pulldown_cmark::{push_html, Parser};
use ammonia::clean;
let text = "[a link](";
let mut md_parse = Parser::new_ext(text, OPTION_ENABLE_TABLES);
let mut unsafe_html = String::new();
push_html(&mut unsafe_html, md_parse);
let safe_html = clean(&*unsafe_html);
assert_eq!(safe_html, "<a href=\"\">a link</a>");


Ammonia builds a DOM, traverses it (replacing unwanted nodes along the way), and serializes it again. It could be faster for what it does, and if you don't want to allow any HTML it is possible to be even faster than that.

However, it takes about fifteen times longer to sanitize an HTML string using bleach-2.0.0 with html5lib-0.999999999 than it does using Ammonia 1.0.

$ cd benchmarks
$ cargo run --release
    Running `target/release/ammonia_bench`
87539 nanoseconds to clean up the intro to the Ammonia docs.
$ python
(1498800.015449524, 'nanoseconds to clean up the intro to the Ammonia docs.')


Licensed under either of these:


Thanks to the other sanitizer libraries, particularly Bleach for Python and sanitize-html for Node, which we blatantly copied most of our API from.

Thanks to ChALkeR, whose Improper Markup Sanitization document helped us find high-level semantic holes in Ammonia, and to ssokolow, whose review and experience were also very helpful.

And finally, thanks to the contributors.