### Install lettersanitizer with npm or yarn Source: https://github.com/mat-sz/lettersanitizer/blob/main/README.md Install the lettersanitizer package using either npm or yarn. This is the first step before using the library. ```sh npm install lettersanitizer # or: yarn install lettersanitizer ``` -------------------------------- ### sanitize(html, text?, options?) Source: https://context7.com/mat-sz/lettersanitizer/llms.txt The main exported function. Accepts an HTML string, an optional plain-text fallback, and an options object. Processes HTML through a strict allowlist and returns a safe HTML string wrapped in a scoped `
`. ```APIDOC ## `sanitize(html, text?, options?)` — Core sanitization function ### Description The main exported function. Accepts an HTML string, an optional plain-text fallback, and an options object. If `html` is empty but `text` is provided, the plain text is converted to escaped `

` elements. The sanitized result is returned as an HTML string, by default wrapped in a `

` with a unique or user-specified ID. ### Parameters - **html** (string) - The raw HTML string to sanitize. - **text** (string, optional) - A plain-text fallback if `html` is empty. - **options** (object, optional) - Configuration options for sanitization. - **id** (string) - Sets the `id` of the wrapping `
` element. CSS selectors and element attributes are scoped with this ID. - **rewriteExternalLinks** (function(string): string, optional) - A callback invoked for every `href` attribute value on `` elements. The return value of this callback is used as the new `href`. ### Request Example ```typescript import { sanitize } from 'lettersanitizer'; // Basic usage: sanitize raw email HTML const result = sanitize('Hello', '', { id: 'email_001' }); // => '
Hello
' // Plain-text fallback when no HTML is present const textResult = sanitize('', 'Hello\nWorld', { id: 'email_002' }); // => '

Hello

\n

World

' // Non-allowlisted tags are unwrapped (children preserved), allowlisted tags kept const mixed = sanitize('boldplain', '', { id: 'email_003' }); // => '
boldplain
' // Dangerous attributes are stripped const xss = sanitize('', '', { id: 'email_004' }); // => '
' ``` ### Response - **sanitizedHtml** (string) - The sanitized HTML string, wrapped in a `
`. ``` -------------------------------- ### SanitizerOptions.rewriteExternalResources Source: https://context7.com/mat-sz/lettersanitizer/llms.txt A callback invoked for every src attribute on elements (e.g., ) and every url() value in inline or embedded CSS. Used to proxy or block remote resource loading. When set, schema restrictions are bypassed for resources. ```APIDOC ## SanitizerOptions.rewriteExternalResources ### Description A callback invoked for every `src` attribute on elements (e.g., ``) and every `url()` value in inline or embedded CSS. Used to proxy or block remote resource loading. When set, schema restrictions are bypassed for resources. ### Usage ```typescript import { sanitize } from 'lettersanitizer'; const proxy = (url: string) => `https://imgproxy.example.com/?src=${encodeURIComponent(url)}`; const result = sanitize( ` text`, '', { id: 'msg_res', rewriteExternalResources: proxy, } ); // Images and CSS backgrounds are proxied: // // text ``` ``` -------------------------------- ### SanitizerOptions.allowedSchemas Source: https://context7.com/mat-sz/lettersanitizer/llms.txt An array of allowed URL schemes (protocols) for href and src attributes when no rewrite callbacks are set. Defaults to ['http', 'https', 'mailto']. Scheme matching is case-insensitive. URLs with disallowed schemes have their attribute removed entirely. ```APIDOC ## SanitizerOptions.allowedSchemas ### Description An array of allowed URL schemes (protocols) for `href` and `src` attributes when no rewrite callbacks are set. Defaults to `['http', 'https', 'mailto']`. Scheme matching is case-insensitive. URLs with disallowed schemes have their attribute removed entirely. ### Usage ```typescript import { sanitize } from 'lettersanitizer'; // Default schemas: http, https, mailto are allowed const safe = sanitize('Email us', '', { id: 'test' }); // => '' // ftp:// is not in the default list — href is stripped const ftpBlocked = sanitize('FTP', '', { id: 'test' }); // => '' // Allow data: URIs for inline images (e.g., in offline/embedded email viewers) const withData = sanitize( '', '', { id: 'test', allowedSchemas: ['http', 'https', 'mailto', 'data'] } ); // => '
' ``` ``` -------------------------------- ### CSS Scoping and Media Rule Handling Source: https://context7.com/mat-sz/lettersanitizer/llms.txt Demonstrates how Lettersanitizer automatically scopes embedded ` `, '', { id: 'email' } ); // @keyframes, @font-face, @import are removed // body selector → #email body, .header → #email .email_header, #logo → #email #email_logo // @media block is preserved and scoped // => '
' ``` -------------------------------- ### Customizing Allowed CSS Properties Source: https://context7.com/mat-sz/lettersanitizer/llms.txt Extend the default allowlist of CSS properties to include custom ones. Ensure that only the specified properties are retained in inline styles and `', '', { noWrapper: true } ); // Class names and CSS selectors are NOT prefixed: // => '

Hello!

' // Compare: with wrapper and id, classes are prefixed const wrapped = sanitize( '

Hello!

', '', { id: 'msg' } ); // => '

Hello!

' ``` ``` -------------------------------- ### Exported Default CSS Property Allowlist Source: https://context7.com/mat-sz/lettersanitizer/llms.txt Access the default list of allowed CSS properties for inspection or extension. This list can be used as a base for creating custom allowlists. ```typescript import { allowedCssProperties } from 'lettersanitizer'; console.log(allowedCssProperties.includes('color')); // true console.log(allowedCssProperties.includes('pointer-events')); // false console.log(allowedCssProperties.length); // ~130 properties // Use as a base to build a custom allowlist const myAllowedProperties = [...allowedCssProperties, 'pointer-events', 'cursor']; ``` -------------------------------- ### SanitizerOptions.dropAllHtmlTags Source: https://context7.com/mat-sz/lettersanitizer/llms.txt When true, all HTML tags are removed and only their text content is preserved.

Welcome

`, '', { id: 'msg_123' } ); // CSS selectors and element attributes are scoped: // => '

Welcome

' ``` -------------------------------- ### SanitizerOptions.preserveCssPriority Source: https://context7.com/mat-sz/lettersanitizer/llms.txt Controls whether !important declarations are preserved in sanitized CSS. Defaults to true. Set to false to strip all !important flags, useful when the host page's styles should be able to override email styles. ```APIDOC ## SanitizerOptions.preserveCssPriority ### Description Controls whether `!important` declarations are preserved in sanitized CSS. Defaults to `true`. Set to `false` to strip all `!important` flags, useful when the host page's styles should be able to override email styles. ### Usage ```typescript import { sanitize } from 'lettersanitizer'; // Default: !important is preserved const preserved = sanitize( '

text

', '', { noWrapper: true } ); // => '

text

' // Stripped: !important removed const stripped = sanitize( '

text

', '', { noWrapper: true, preserveCssPriority: false } ); // => '

text

' ``` ``` -------------------------------- ### Strip All HTML Tags Source: https://context7.com/mat-sz/lettersanitizer/llms.txt Set `dropAllHtmlTags` to `true` to remove all HTML tags and preserve only the text content. This is useful for rendering plain-text views. ```typescript import { sanitize } from 'lettersanitizer'; const result = sanitize( '

Hello World

This is important

', '', { id: 'plain', dropAllHtmlTags: true } ); // => '
Hello WorldThis is important
' ``` -------------------------------- ### sanitize function Source: https://github.com/mat-sz/lettersanitizer/blob/main/README.md The sanitize function uses DOMParser to sanitize HTML content and returns safe HTML text. It accepts the HTML string, fallback text, and an optional options object. ```APIDOC ## sanitize function ### Description Sanitizes HTML content using DOMParser and returns safe HTML text. `text` is used for fallback if no HTML source is available. ### Signature ```typescript function sanitize(html: string, text?: string, options?: SanitizerOptions) ``` ### Parameters #### `html` (string) - Required The HTML content to sanitize. #### `text` (string) - Optional Fallback text to use if no HTML source is available. #### `options` (SanitizerOptions) - Optional An object containing sanitization options. ```typescript interface SanitizerOptions { id?: string; dropAllHtmlTags?: boolean; rewriteExternalResources?: (url: string) => string; rewriteExternalLinks?: (url: string) => string; allowedSchemas?: string[]; preserveCssPriority?: boolean; noWrapper?: boolean; } ``` ### Request Example ```typescript import { sanitize } from 'lettersanitizer'; sanitize('test', '', { id: 'test' }); // Expected output:
test
``` ### Response Returns the sanitized HTML string. ``` -------------------------------- ### Remove Outer Wrapper Element Source: https://context7.com/mat-sz/lettersanitizer/llms.txt Use `noWrapper: true` to return sanitized content without the default wrapping `
` element. CSS scoping is also disabled. ```typescript import { sanitize } from 'lettersanitizer'; const result = sanitize( '

Hello!

', '', { noWrapper: true } ); // Class names and CSS selectors are NOT prefixed: // => '

Hello!

' // Compare: with wrapper and id, classes are prefixed const wrapped = sanitize( '

Hello!

', '', { id: 'msg' } ); // => '

Hello!

' ``` -------------------------------- ### Control CSS !important Declarations Source: https://context7.com/mat-sz/lettersanitizer/llms.txt The `preserveCssPriority` option controls whether `!important` declarations are kept in sanitized CSS. Defaults to `true`. ```typescript import { sanitize } from 'lettersanitizer'; // Default: !important is preserved const preserved = sanitize( '

text

', '', { noWrapper: true } ); // => '

text

' // Stripped: !important removed const stripped = sanitize( '

text

', '', { noWrapper: true, preserveCssPriority: false } ); // => '

text

' ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.