ShadowRoot: setHTML() method

ThesetHTML() method of the ShadowRoot interface provides an XSS-safe method to parse and sanitize a string of HTML into aDocumentFragment, which then replaces the existing tree in the Shadow DOM.

Syntax

setHTML(input)setHTML(input, options)

Parameters

input

A string defining HTML to be sanitized and injected into the shadow root.

optionsOptional

An options object with the following optional parameters:

sanitizer: ASanitizer orSanitizerConfig object which defines what elements of the input will be allowed or removed, or the string"default" for the default sanitizer configuration.Note that generally a"Sanitizer is expected to be more efficient than aSanitizerConfig if the configuration is to reused.If not specified, the default sanitizer configuration is used.

Return value

None (undefined).

Exceptions

TypeError

This is thrown ifoptions.sanitizer is passed a:

non-normalizedSanitizerConfig (one that includes both "allowed" and "removed" configuration settings).
string that does not have the value"default".
value that is not aSanitizer,SanitizerConfig, or string.

Description

ThesetHTML() method provides an XSS-safe method to parse and sanitize a string of HTML and use it to replace the existing tree in the Shadow DOM.

setHTML() removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

If no sanitizer configuration is specified in theoptions.sanitizer parameter,setHTML() is used with the defaultSanitizer configuration.This configuration allows all elements and attributes that are considered XSS-safe, thereby disallowing entities that are considered unsafe.A custom sanitizer or sanitizer configuration can be specified to choose which elements, attributes, and comments are allowed or removed.Note that even if unsafe options are allowed by the sanitizer configuration, they will still be removed when using this method (which implicitly callsSanitizer.removeUnsafe()).

setHTML() should be used instead ofShadowRoot.innerHTML for inserting untrusted strings of HTML into the shadow DOM.It should also be used instead ofShadowRoot.setHTMLUnsafe(), unless there is a specific need to allow unsafe elements and attributes.

Note that since this method always sanitizes input strings of XSS-unsafe entities, it is not secured or validated using theTrusted Types API.

Examples

Basic usage

This example shows some of the ways you can usesetHTML() to sanitize and inject a string of HTML.

First we will create theShadowRoot we want to target.This could be created programmatically usingElement.attachShadow() but for this example we'll create the root declaratively.

html

<div>  <template shadowrootmode="open">    <span>A span element in the shadow DOM</span>  </template></div>

We can get a handle to the shadow root from the#host element like this:

const shadow = document.querySelector("#host").shadowRoot;

The code below shows how we can callsetHTML() with a string and different sanitizers in order to filter and inject the HTML into the shadow root.

// Define unsanitized string of HTMLconst unsanitizedString = "abc <script>alert(1)<" + "/script> def";// setHTML() with default sanitizershadow.setHTML(unsanitizedString);// Define custom Sanitizer and use in setHTML()// This allows only elements: <div>, <p>, <span> (<script> is unsafe and will be removed)const sanitizer1 = new Sanitizer({ elements: ["div", "p", "span", "script"] });shadow.setHTML(unsanitizedString, { sanitizer: sanitizer1 });// Define custom SanitizerConfig within setHTML()// This removes elements <div>, <p>, <span>, <script>, and any other unsafe elements/attributesshadow.setHTML(unsanitizedString, {  sanitizer: { removeElements: ["div", "p", "span", "script"] },});

`setHTML()` live example

This example provides a "live" demonstration of the method when called with different sanitizers.The code defines buttons that you can click to sanitize and inject a string of HTML using a default and a custom sanitizer, respectively.The original string and sanitized HTML are logged so you can inspect the results in each case.

HTML

The HTML defines two<button> elements for applying different sanitizers, another button to reset the example, and a<div> that contains the declarative shadow root.

html

<button type="button">Default</button><button type="button">allowScript</button><button type="button">Reload</button><div>  <template shadowrootmode="open">    <span>I am in the shadow DOM </span>  </template></div>

<pre></pre>

#log {  height: 220px;  overflow: scroll;  padding: 0.5rem;  border: 1px solid black;  margin: 5px;}

JavaScript

const logElement = document.querySelector("#log");function log(text) {  logElement.textContent += text;}

if ("Sanitizer" in window) {

First we define the handler for the reload button.

const reload = document.querySelector("#reload");reload.addEventListener("click", () => document.location.reload());

Then we define the string to sanitize, which will be the same for all cases.This contains the<script> element and theonclick handler, both of which are considered XSS-unsafe.We also get variableshadow, which is our handle to the shadow root.

// Define unsafe string of HTMLconst unsanitizedString = `  <div>    <p>Paragraph to inject into shadow DOM. <button>Click me</button></p>    <script src="path/to/a/module.js" type="module"><script>  </div>`;const shadow = document.querySelector("#host").shadowRoot;

Next we define the click handler for the button that sets the shadow root with the default sanitizer.This should strip out all unsafe entities before inserting the string of HTML.Note that you can see exactly which elements are removed in theSanitizer() constructor examples.

const defaultSanitizerButton = document.querySelector("#buttonDefault");defaultSanitizerButton.addEventListener("click", () => {  // Set the content of the element using the default sanitizer  shadow.setHTML(unsanitizedString);  // Log HTML before sanitization and after being injected  logElement.textContent =    "Default sanitizer: remove &lt;script&gt; element and onclick attribute\n\n";  log(`\nunsanitized: ${unsanitizedString}`);  log(`\nsanitized: ${shadow.innerHTML}`);});

The next click handler sets the target HTML using a custom sanitizer that allows only<div>,<p>, and<script> elements.Note that because we're using thesetHTML method,<script> will also be removed!

const allowScriptButton = document.querySelector("#buttonAllowScript");allowScriptButton.addEventListener("click", () => {  // Set the content of the element using a custom sanitizer  const sanitizer1 = new Sanitizer({    elements: ["div", "p", "script"],  });  shadow.setHTML(unsanitizedString, { sanitizer: sanitizer1 });  // Log HTML before sanitization and after being injected  logElement.textContent =    "Sanitizer: {elements: ['div', 'p', 'script']}\n Script removed even though allowed\n";  log(`\nunsanitized: ${unsanitizedString}`);  log(`\nsanitized: ${shadow.innerHTML}`);});

} else {  log("The HTML Sanitizer API is NOT supported in this browser.");  // Provide fallback or alternative behavior}

Results

Click the "Default" and "allowScript" buttons to see the effects of the default and custom sanitizer, respectively.Note that because we are using a same sanitization method, in both cases the<script> element andonclick handler are removed, even if explicitly allowed by the sanitizer.

Specifications

Specification
HTML Sanitizer API # dom-shadowroot-sethtml

Browser compatibility

Help improve MDN

Was this page helpful to you?

Learn how to contribute.

This page was last modified onJun 23, 2025 byMDN contributors.

View this page on GitHub •Report a problem with this content

Movatterモバイル変換

In this article