Document: parseHTML() static method
Limited availability
This feature is not Baseline because it does not work in some of the most widely-used browsers.
Experimental:This is anexperimental technology
Check theBrowser compatibility table carefully before using this in production.
TheparseHTML() static method of theDocument object provides an XSS-safe method to parse and sanitize a string of HTML in order to create a newDocument instance.
Syntax
Document.parseHTML(input)Document.parseHTML(input, options)Parameters
inputA string defining HTML to be sanitized and injected into the shadow root.
optionsOptionalAn options object with the following optional parameters:
sanitizerA
SanitizerorSanitizerConfigobject which defines what elements of the input will be allowed or removed, or the string"default"for the default sanitizer configuration.Note that generally a"Sanitizeris expected to be more efficient than aSanitizerConfigif the configuration is to reused.If not specified, the XSS-safe default sanitizer configuration is used.
Return value
ADocument.
Exceptions
TypeErrorThis is thrown if
options.sanitizeris passed a:- non-normalized
SanitizerConfig(one that includes both "allowed" and "removed" configuration settings). - string that does not have the value
"default". - value that is not a
Sanitizer,SanitizerConfig, or string.
- non-normalized
Description
TheparseHTML() method parses and sanitize a string of HTML in order to create a newDocument instance that is XSS-safe.The resultingDocument will have acontent type of "text/html", acharacter set of UTF-8, and a URL of "about:blank".
If no sanitizer configuration is specified in theoptions.sanitizer parameter,parseHTML() is used with the defaultSanitizer configuration.This configuration allows all elements and attributes that are considered XSS-safe, thereby disallowing entities that are considered unsafe.A custom sanitizer or sanitizer configuration can be specified to choose which elements, attributes, and comments are allowed or removed.Note that even if unsafe options are allowed by the sanitizer configuration, they will still be removed when using this method (which implicitly callsSanitizer.removeUnsafe()).
The input HTML may includedeclarative shadow roots.If the string of HTML defines more than onedeclarative shadow root in a particular shadow host then only the firstShadowRoot is created — subsequent declarations are parsed as<template> elements within that shadow root.
parseHTML() should be used instead ofDocument.parseHTMLUnsafe(), unless there is a specific need to allow unsafe elements and attributes.If the HTML to be parsed doesn't need to contain unsafe HTML entities, then you should useDocument.parseHTML().
Note that since this method always sanitizes input strings of XSS-unsafe entities, it is not secured or validated using theTrusted Types API.
Specifications
| Specification |
|---|
| HTML Sanitizer API # dom-document-parsehtml |
Browser compatibility
See also
Document.parseHTMLUnsafe()Element.setHTML()andElement.setHTMLUnsafe()ShadowRoot.setHTML()andShadowRoot.setHTMLUnsafe()DOMParser.parseFromString()for parsing HTML or XML into a DOM tree- HTML Sanitizer API