Document: parseHTMLUnsafe() static method
Baseline 2024Newly available
Since July 2024, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The parseHTMLUnsafe()
static method of the Document
object is used to parse an HTML input, optionally filtering unwanted HTML elements and attributes, in order to create a new Document
instance.
Unlike with Document.parseHTML()
, XSS-unsafe HTML entities are not guaranteed to be removed.
Syntax
Document.parseHTMLUnsafe(input)
Document.parseHTMLUnsafe(input, options)
Parameters
input
A string or
TrustedHTML
instance defining HTML to be parsed.options
OptionalAn options object with the following optional parameters:
sanitizer
OptionalA
Sanitizer
orSanitizerConfig
object which defines what elements of the input will be allowed or removed. Note that generally a"Sanitizer
is expected than the to be more efficient than aSanitizerConfig
if the configuration is to reused. If not specified, no sanitizer is used.
Return value
A Document
.
Exceptions
TypeError
This is thrown if:
html
is passed a string when Trusted Types are enforced by a CSP and no default policy is defined.options.sanitizer
is passed a:- value that is not a
Sanitizer
,SanitizerConfig
, or string. - non-normalized
SanitizerConfig
(one that includes both "allowed" and "removed" configuration settings). - string that does not have the value
"default"
.
- value that is not a
Description
The parseHTMLUnsafe()
static method can be used to create a new Document
instance, optionally filter out unwanted elements and attributes. The resulting Document
will have a content type of "text/html", a character set of UTF-8, and a URL of "about:blank".
The suffix "Unsafe" in the method name indicates that, while the method does allow the input string to be filtered of unwanted HTML entities, it does not enforce the sanitization or removal of potentially unsafe XSS-relevant input. If no sanitizer configuration is specified in the options.sanitizer
parameter, parseHTMLUnsafe()
is used without any sanitization. Note that <script>
elements are not evaluated during parsing.
The input HTML may include declarative shadow roots. If the string of HTML defines more than one declarative shadow root in a particular shadow host then only the first ShadowRoot
is created — subsequent declarations are parsed as <template>
elements within that shadow root.
parseHTMLUnsafe()
should be instead of Document.parseHTML()
when parsing potentially unsafe strings of HTML that for whatever reason need to contain XSS-unsafe elements or attributes. If the HTML to be parsed doesn't need to contain unsafe HTML entities, then you should use Document.parseHTML()
.
Note that since this method does not necessarily sanitize input strings of XSS-unsafe entities, input strings should also be validated using the Trusted Types API. If the method is used with both a trusted types and a sanitizer, the HTML input will be passed through the trusted type transformation function before it is sanitized.
Specifications
Specification |
---|
HTML # dom-parsehtmlunsafe |
Browser compatibility
See also
Document.parseHTML()
Element.setHTML()
andElement.setHTMLUnsafe()
ShadowRoot.setHTML()
andShadowRoot.setHTMLUnsafe()
DOMParser.parseFromString()
for parsing HTML or XML into a DOM tree- HTML Sanitizer API