1. Web
  2. Web APIs
  3. HTML Sanitizer API
  4. Default sanitizer configuration

Default sanitizer configuration

The default sanitizer configuration defines the configuration returned by the Sanitizer() constructor if no configuration is passed as an argument. This same configuration is implicitly used if you call the safe sanitization methods, such as Element.setHTML(), ShadowRoot.setHTML(), and Document.parseHTML(), without specifying a custom sanitizer.

This configuration removes the following sorts of items:

  1. Those that are known to be XSS-unsafe:
  2. Additional items that might be used in clickjacking, spoofing, or other attacks.
  3. Comments and data-* attributes.

It therefore provides a sanitizer with a minimal attack surface, which is still suitable for the majority of sanitization use cases.

Note: Calling Sanitizer.removeUnsafe(), or passing a custom sanitizer to the safe sanitization method, only removes the XSS-unsafe items. It does not remove the additional items, comments, and data-* attributes.

The following sections list all the elements, with a ✓ mark indicating those that are allowed by the default configuration (the ❌ therefore indicates those that will be removed). The "Additional allowed attributes" column lists the attributes that are allowed for the corresponding elements; any other attributes on the element would be removed (unless allowed by the global attributes). The Global attributes section lists the attributes that are allowed on all elements (the attributes that are not removed when the configuration is used).

HTML elements

Element Allowed Additional allowed attributes
<a> href, hreflang, type
<abbr>
<acronym>
<address>
<area>
<article>
<aside>
<audio>
<b>
<base>
<bdi>
<bdo>
<big>
<blockquote> cite
<body>
<br>
<button>
<canvas>
<caption>
<center>
<cite>
<code>
<col> span
<colgroup> span
<data> value
<datalist>
<dd>
<del> cite, datetime
<details>
<dfn>
<dialog>
<dir>
<div>
<dl>
<dt>
<em>
<embed>
<fencedframe>
<fieldset>
<figcaption>
<figure>
<font>
<footer>
<form>
<frame>
<frameset>
<h1> – <h6>
<head>
<header>
<hgroup>
<hr>
<html>
<i>
<iframe>
<img>
<input>
<ins> cite, datetime
<kbd>
<label>
<legend>
<li> value
<link>
<main>
<map>
<mark>
<marquee>
<menu>
<meta>
<meter>
<nav>
<nobr>
<noembed>
<noframes>
<noscript>
<object>
<ol> reversed, start, type
<optgroup>
<option>
<output>
<p>
<param>
<picture>
<plaintext>
<pre>
<progress>
<q>
<rb>
<rp>
<rt>
<rtc>
<ruby>
<s>
<samp>
<script>
<search>
<section>
<select>
<selectedcontent>
<slot>
<small>
<source>
<span>
<strike>
<strong>
<style>
<sub>
<summary>
<sup>
<table>
<tbody>
<td> colspan, headers, rowspan
<template>
<textarea>
<tfoot>
<th> abbr, colspan, headers, rowspan, scope
<thead>
<time> datetime
<title>
<tr>
<track>
<tt>
<u>
<ul>
<var>
<video>
<wbr>
<xmp>

SVG elements

Element Allowed Additional allowed attributes
<a> href, hreflang, type
<animate>
<animateMotion>
<animateTransform>
<circle> cx, cy, pathLength, r
<clipPath>
<defs>
<desc>
<ellipse> cx, cy, pathLength, rx, ry
<feBlend>
<feColorMatrix>
<feComponentTransfer>
<feComposite>
<feConvolveMatrix>
<feDiffuseLighting>
<feDisplacementMap>
<feDistantLight>
<feDropShadow>
<feFlood>
<feFuncA>
<feFuncB>
<feFuncG>
<feFuncR>
<feGaussianBlur>
<feImage>
<feMerge>
<feMergeNode>
<feMorphology>
<feOffset>
<fePointLight>
<feSpecularLighting>
<feSpotLight>
<feTile>
<feTurbulence>
<filter>
<foreignObject> height, width, x, y
<g>
<image>
<line> pathLength, x1, x2, y1, y2
<linearGradient>
<marker> markerHeight, markerUnits, markerWidth, orient, preserveAspectRatio, refX, refY, viewBox
<mask>
<metadata>
<mpath>
<path> d, pathLength
<pattern>
<polygon> pathLength, points
<polyline> pathLength, points
<radialGradient>
<rect> height, pathLength, rx, ry, width, x, y
<script>
<set>
<stop>
<style>
<svg> height, preserveAspectRatio, viewBox, width, x, y
<switch>
<symbol>
<text> dx, dy, lengthAdjust, rotate, textLength, x, y
<textPath> lengthAdjust, method, path, side, spacing, startOffset, textLength
<title>
<tspan> dx, dy, lengthAdjust, rotate, textLength, x, y
<use>
<view>

MathML elements

Element Allowed Additional allowed attributes
<annotation>
<annotation-xml>
<maction>
<math>
<menclose>
<merror>
<mfenced>
<mfrac>
<mi>
<mmultiscripts>
<mn>
<mo> fence, form, largeop, lspace, maxsize, minsize, movablelimits, rspace, separator, stretchy, symmetric
<mover> accent
<mpadded> depth, height, lspace, voffset, width
<mphantom>
<mprescripts>
<mroot>
<mrow>
<ms>
<mspace> depth, height, width
<msqrt>
<mstyle>
<msub>
<msubsup>
<msup>
<mtable>
<mtd> columnspan, rowspan
<mtext>
<mtr>
<munder> accentunder
<munderover> accent, accentunder
<semantics>

Global attributes

The default configuration allows the following attributes on all elements.

HTML global attributes

MathML global attributes

SVG attributes

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content