SanitizerConfig

Experimental:This is anexperimental technology
Check theBrowser compatibility table carefully before using this in production.

TheSanitizerConfig dictionary of theHTML Sanitizer API represents a sanitizer configuration object.The configuration specifies what elements, attributes and comments are allowed or should be removed when inserting strings of HTML into anElement orShadowRoot, or when parsing an HTML string into aDocument.

An instance of this type can be passed to theSanitizer() constructor to configure aSanitizer, and is returned bySanitizer.get().It can also be passed as theoption.sanitizer parameter when calling thesanitization methods:

setHTML() orsetHTMLUnsafe() onElement.
setHTML() orsetHTMLUnsafe() onShadowRoot.
Document.parseHTML() orDocument.parseHTMLUnsafe() static methods.

Note that normally aSanitizer instance would be passed as the option instead ofSanitizerConfig in the above methods, in particular becausesanitizer instances are more efficient to share and modify.

Instance properties

elements

An array indicating the elements to allow when sanitizing HTML, optionally also specifying their allowed or removed attributes.

Each element can be specified by name (a string), or as an object with the following properties:

name

A string containing the name of the element.

namespaceOptional

A string containing the namespace of the element.The default namespace is"http://www.w3.org/1999/xhtml".

attributesOptional

An array indicating the attributes to allow on this (allowed) element when sanitizing HTML.

Each attribute can be specified by name (a string), or as an object with the following properties:

name: A string containing the name of the attribute.
namespaceOptional: A string containing the namespace of the attribute, which defaults tonull.

removeAttributesOptional

An array indicating the attributes to remove on this (allowed) element when sanitizing HTML.

Each attribute can be specified by name (a string), or as an object with the following properties:

name: A string containing the name of the attribute.
namespaceOptional: A string containing the namespace of the attribute, which defaults tonull.

removeElements

An array indicating the elements to remove when sanitizing HTML.

Each element can be specified by name (a string), or as an object with the following properties:

name: A string containing the name of the element.
namespaceOptional: A string containing the namespace of the element.The default namespace is"http://www.w3.org/1999/xhtml".

replaceWithChildrenElements

An array indicating the elements to replace with their content when sanitizing HTML.This is primarily used to strip styles from text (for example, you could use this to change<b>some text</b> tosome text).

Each element can be specified by name (a string), or as an object with the following properties:

name: A string containing the name of the element.
namespaceOptional: A string containing the namespace of the element.The default namespace is"http://www.w3.org/1999/xhtml".

attributes

An array indicating the attributes to allow when sanitizing HTML.

Each attribute can be specified by name (a string), or as an object with the following properties:

name: A string containing the name of the attribute.
namespaceOptional: A string containing the namespace of the attribute, which defaults tonull.

removeAttributes

An array indicating the attributes to remove from elements when sanitizing HTML.

Each attribute can be specified by name (a string), or as an object with the following properties:

name: A string containing the name of the attribute.
namespaceOptional: A string containing the namespace of the attribute, which defaults tonull.

comments

true if comments are allowed, andfalse if they are to be removed.

dataAttributes

true if data attributes are allowed, andfalse if they are to be removed.

Examples

Creating an "allow" configuration

This example shows how you might create an "allow" sanitizer configuration, and in this case pass it to theSanitizer() constructor.

const sanitizer = new Sanitizer({  elements: ["div", "p", "script"],  attributes: ["id"],  replaceWithChildrenElements: ["b"],  comments: true,  dataAttributes: false,});

Note that you cannot specify both allow and remove lists in the same configuration without causing an exception when passing the configuration to the constructor or a sanitization method.

Creating a "remove" configuration

This example shows how you might create a "remove" sanitizer configuration, and in this case pass it to theSanitizer() constructor.

const sanitizer = new Sanitizer({  removeElements: ["span", "script"],  removeAttributes: ["lang", "id"],  comments: false,});

Note that you cannot specify both allow and remove lists in the same configuration without causing an exception when passing the configuration to the constructor or a sanitization method.

Specifications

Specification
HTML Sanitizer API # dom-sanitizer-get
HTML Sanitizer API # dom-sanitizer-sanitizer

Help improve MDN

Learn how to contribute

This page was last modified on⁨Oct 30, 2025⁩ byMDN contributors.

View this page on GitHub •Report a problem with this content

Movatterモバイル変換

SanitizerConfig

Instance properties

Examples

Creating an "allow" configuration

Creating a "remove" configuration

Specifications

Browser compatibility

api.Sanitizer.get

api.Sanitizer.Sanitizer

Help improve MDN