no more DOMPurify needed

javascript

Browser-Native HTML Sanitization

AIL 1
javascriptweb devtilsecurity

Today I learned that browsers now have a built-in HTML Sanitizer API! No more shipping DOMPurify or other sanitization libraries just to safely inject user content.

Browser support

NOTE: This is still experimental, so feature-detect before using:

if ('Sanitizer' in window) {
  element.setHTML(content);
} else {
  // Fall back to DOMPurify or other library
}

Check MDN and caniuse for current support. As of late 2025, it’s available in Firefox 148 nightly only, and no other browsers, so you’ll be stuck with DOMPurify or another library for the short term!

The problem it solves

Injecting untrusted HTML has always been dangerous. Using innerHTML with user-provided content is basically asking for XSS attacks. Libraries like DOMPurify have been the go-to solution, but now browsers can handle this natively.

Basic usage

The simplest approach uses setHTML() on any element:

const untrustedString = 'Hello <script>alert("xss")</script> World!';
const element = document.getElementById('target');

element.setHTML(untrustedString);
console.log(element.innerHTML); // "Hello  World!" - script removed!

The browser automatically strips out dangerous elements like <script>, event handlers like onclick, and other XSS vectors.

Customizing what’s allowed

You can create a Sanitizer object to control exactly which elements and attributes are permitted:

// Only allow paragraphs and links with href
const sanitizer = new Sanitizer({
  elements: ['p', 'a'],
  attributes: ['href']
});

element.setHTML(userContent, { sanitizer });

Or start with defaults and tweak:

const sanitizer = new Sanitizer();
sanitizer.removeElement('img');  // No images allowed
sanitizer.allowAttribute('class');  // But classes are fine

When you need more danger

For trusted content that needs unsafe elements, there’s setHTMLUnsafe():

// Only use this with content you trust!
element.setHTMLUnsafe(trustedContent, { sanitizer });

Parsing without inserting

You can also sanitize HTML without immediately inserting it:

const fragment = Document.parseHTML(untrustedHTML);
// Returns a sanitized DocumentFragment you can inspect or manipulate