### Query Sanitizer Configuration with get() Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Use `get()` to inspect the effective configuration of a Sanitizer instance, showing allowed elements and attributes in their canonical form. Note that elements disallowed in safe contexts, like 'script', may be omitted. ```js const a_simple_config = new Sanitizer({ elements: [ "div", "p", "span", "script" ] }); a_simple_config.get(); ``` ```json { elements: [ { "name": "div", "namespace": "http://www.w3.org/1999/xhtml" }, { "name": "p", "namespace": "http://www.w3.org/1999/xhtml" }, { "name": "span", "namespace": "http://www.w3.org/1999/xhtml" } ], attributes: [ { "name": "href", "namespace": "" }, { "name": "class, "namespace": "" }, { "name": "id", "namespace": "" }, // ... many more ] } ``` -------------------------------- ### Mixing Allow and Replace-with-Children Lists Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Combining allow-lists and replace-with-children-lists in a configuration is permissible. This example shows retaining simple styling elements while replacing others with their children. ```javascript // Mixing allow and replace with children lists works. const config_that_retains_simple_styling_but_most_text = new Sanitizer({ elements: ["p", "b", "i"], replaceWithChildrenElements: ["div", "span", "em", "u", "s", "li"], }); const styled_text = "

Some colourful styled text"; //

Some colourful styled text

element.setHTML(styled_text, {sanitizer: config_that_retains_simple_styling_but_most_text}); ``` -------------------------------- ### Query Sanitizer Configuration with remove-lists Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md When querying a Sanitizer configured with `removeElements` or `removeAttributes`, the `get()` method returns the effective allow-list equivalents based on built-in defaults. ```js new Sanitizer({ removeElements: [ "span" ], removeAttributes: ["id", "class"] }).get(); ``` ```json { elements: [ { "name": "div", "namespace": "http://www.w3.org/1999/xhtml" }, { "name": "p", "namespace": "http://www.w3.org/1999/xhtml" }, // ... many more. But no span. ], attributes: [ { "name": "href", "namespace": "" }, // ... many more. But no id or class. ] } ``` -------------------------------- ### Safe HTML Sanitization Example Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Demonstrates the 'safe' methods of the Sanitizer API, which remove script-related content and attributes like `onclick` and `onload`, while allowing other attributes and elements to pass through. ```javascript element.setHTML(``); //
``` -------------------------------- ### Local and Global Attribute Configuration Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Listing an attribute in both the global 'attributes' list and an element-specific 'removeAttributes' list is allowed. The element-specific action takes precedence. This example shows 'class' being globally allowed but removed from 'b' elements. ```javascript const config_with_local_and_global_attributes = new Sanitizer({ elements: [ "span", { name: "b", removeAttributes: [ "class" ] } ], attributes: ["class"] }); //
abc def
element.setHTML("abc def", {sanitizer: config_with_local_and_global_attributes}); ``` -------------------------------- ### Combining Element Filtering and Child Preservation Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Combine 'elements' and 'replaceWithChildrenElements' to allow specific elements while preserving the children of others. This example allows 'b' and 'i' tags and replaces 'span' tags with their children. ```javascript const config_replace_spans = new Sanitizer({ elements: ["b", "i"], replaceWithChildrenElements: ["span"] }); //
Fancy text with pizzazz.
element.setHTML( "Fancy text with pizzazz.", { sanitizer: config_replace_spans} ); ``` -------------------------------- ### Removing Specific Attributes from an Element Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Use 'removeAttributes' within an element's configuration to remove specific attributes from that element type. This example removes 'src' attributes from 'input' elements. ```javascript const remove_src_attribute_from_input = new Sanitizer({ elements: [{ name: "input", removeAttributes: ["src"]}], }); ``` -------------------------------- ### Using Configuration Dictionary Directly vs. Sanitizer Object Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Shows two equivalent ways to apply a configuration: directly passing a dictionary to setHTML, or creating a Sanitizer object with the dictionary and passing that. Using a Sanitizer object is recommended for performance when the configuration is reused. ```javascript const config_dict = { elements: [ "div", "p", "em", "b", "span" ], attributes: [ "class", "style" ] }; // These two should be the same: const some_html_string = "..."; div.setHTML(some_html_string, {sanitizer: config_dict}); div.setHTML(some_html_string, {sanitizer: new Sanitizer(config_dict)}); ``` -------------------------------- ### Basic Sanitizer Configuration with Unsafe HTML Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Demonstrates creating a Sanitizer with a configuration that includes 'script' elements and using it with both setHTML (which ignores unsafe configurations) and setHTMLUnsafe (which allows them). ```javascript const an_unsafe_config = new Sanitizer({ 'elements': [ { name: 'script' } ] }); element.setHTML(" sneaky.setHTMLUnsafe("boring();"); // sneaky.setHTML("alert('Surprise!');"); // ``` -------------------------------- ### XML Document Parsing with Sanitizer API Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Shows how parsing in XML documents adheres to HTML parsing rules, contrasting with `innerHTML`. `setHTML` on an element within an XHTML document correctly handles case and closing elements, while direct assignment to `innerHTML` might throw errors. ```javascript const element_xml = new DOMParser().parseFromString("
", "application/xhtml+xml").getElementsByTagName("div")[0]; const example_not_xml = "
bla"; element_xml.getRootNode().contentType; // application/xhtml+xml element_xml.innerHTML = example_not_xml; // Throws. element_xml.setHTML(example_not_xml); //
bla
// Note case and closing elements. element.setHTML(example_not_xml); // Same as above. ``` -------------------------------- ### DOMPurify Hooks Source: https://github.com/wicg/sanitizer-api/blob/main/comparison.md DOMPurify provides a hook system for intercepting and modifying the sanitization process at various stages, offering fine-grained control. ```javascript beforeSanitizeElements uponSanitizeElement afterSanitizeElements beforeSanitizeAttributes uponSanitizeAttribute afterSanitizeAttributes beforeSanitizeShadowDOM uponSanitizeShadowNode afterSanitizeShadowDOM ``` -------------------------------- ### Allowing HTML Comments Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Enable the handling of HTML comment nodes by setting the 'comments' option to true. This allows comments to be preserved in the sanitized output. ```javascript const config_comments: new Sanitizer({ comments: true }); element.setHTML("XXXXXX", {sanitizer: config_comments}); //
XXXXXX
``` -------------------------------- ### Add Contributor to Pull Request Source: https://github.com/wicg/sanitizer-api/blob/main/CONTRIBUTING.md Use this syntax to add a GitHub username as a contributor to a pull request, with one username per line. ```markdown +@github_username ``` -------------------------------- ### DOMPurify Return Value Types Source: https://github.com/wicg/sanitizer-api/blob/main/comparison.md DOMPurify supports various return types for sanitized content, influencing allowed tags. Use these constants to specify the desired output format. ```javascript RETURN_DOM RETURN_DOM_FRAGMENT RETURN_DOM_IMPORT RETURN_TRUSTED_TYPE ``` -------------------------------- ### DOMPurify Content Filtering Options Source: https://github.com/wicg/sanitizer-api/blob/main/comparison.md Configure DOMPurify to control which HTML tags, attributes, and protocols are allowed or forbidden. These options help define the sanitization scope. ```javascript ALLOWED_TAGS ALLOWED_ATTR FORBID_TAGS FORBID_ATTR ADD_TAGS ADD_ATTR ALLOW_DATA_ATTR ALLOW_UNKNOWN_PROTOCOLS ALLOWED_URI_REGEXP ADD_URI_SAFE_ATTR ALLOW_ARIA_ATTR SAFE_FOR_TEMPLATES SAFE_FOR_JQUERY ``` -------------------------------- ### Replacing Elements While Preserving Children Source: https://github.com/wicg/sanitizer-api/blob/main/explainer.md Utilize 'replaceWithChildrenElements' to remove specified elements but keep their child content. This is useful for stripping formatting while retaining text. ```javascript const config_that_removes_elements_but_preserves_their_children = new Sanitizer({ replaceWithChildrenElements: ["span", "em", "u", "s", "i", "b"] }); element.setHTML( "Fancy text with pizzazz.", { sanitizer: config_that_removes_elements_but_preserves_their_children }); //
Fancy text with pizzazz.
``` -------------------------------- ### Remove Contributor from Pull Request Source: https://github.com/wicg/sanitizer-api/blob/main/CONTRIBUTING.md Use this syntax to remove a GitHub username from a pull request, typically to correct an accidental addition or to remove yourself if you had no part in designing the feature. ```markdown -@github_username ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.