Skip to content

Latest commit

 

History

History
84 lines (62 loc) · 2.74 KB

File metadata and controls

84 lines (62 loc) · 2.74 KB
metadata
lastUpdated staleness tags
24-Mar-2026
30d
getting-started
quickstart

Getting Started

@darylcecile/sanitizer is a zero-dependency, SSR-safe HTML sanitizer that follows the W3C Sanitizer API specification. It works in any JavaScript runtime — Bun, Node, Deno — without requiring a browser DOM.

Installation

bun add @darylcecile/sanitizer

Or with npm:

npm install @darylcecile/sanitizer

Your First Sanitization

Import sanitize and pass it an HTML string:

import { sanitize } from "@darylcecile/sanitizer";

const clean = sanitize('<p>Hello <b>world</b></p>');
// → '<p>Hello <b>world</b></p>'

By default, sanitize() runs in safe mode — it strips anything that could execute scripts or otherwise compromise security:

// Scripts are removed entirely (element + content)
sanitize('<script>alert("xss")</script><p>Safe</p>');
// → '<p>Safe</p>'

// Event handlers are stripped from attributes
sanitize('<div onclick="alert(1)">Hello</div>');
// → '<div>Hello</div>'

// javascript: URLs are removed from href
sanitize('<a href="javascript:alert(1)">click</a>');
// → '<a>click</a>'

What Gets Stripped

The safe default strips anything that can execute code:

Category Examples
Script elements <script>, SVG <script>
Embedding elements <iframe>, <embed>, <object>, <frame>
Event handlers onclick, onerror, onload, and 90+ others
Dangerous URLs javascript: in href, action, formaction
Comments HTML comments are removed
Unknown elements Elements not in the W3C safe default allow-list

What Gets Preserved

The default configuration allows approximately 100 safe HTML elements along with their appropriate attributes:

  • Structure: <div>, <span>, <p>, <article>, <section>, <nav>, <header>, <footer>
  • Text: <b>, <i>, <em>, <strong>, <code>, <pre>, <mark>, <sub>, <sup>
  • Lists: <ul>, <ol>, <li>, <dl>, <dt>, <dd>
  • Tables: <table>, <thead>, <tbody>, <tr>, <th>, <td>
  • Links: <a> with href, hreflang, type
  • Headings: <h1> through <h6>
  • SVG: <svg>, <circle>, <rect>, <path>, <text>, <g>
  • MathML: <math>, <mrow>, <mi>, <mo>, <mfrac>

Next Steps