Unsanitized HTML parsing methods
The Document.parseHTMLUnsafe()
static method parses HTML into a DOM tree, while the setHTMLUnsafe()
method of Element
and ShadowRoot
parses and inserts HTML into an existing tree. No sanitization applies to these methods, so never call them with user-provided HTML strings.
Status
Baseline Newly Available (since 2025-09-15)
This feature is expected to reach Baseline Widely Available status on: 2028-03-15
MDN documentation
Specifications
- HTML (#unsafe-html-parsing-methods), from HTML Workstream (WHATWG).
Browser support
- Chrome 124 Released on 2024-04-16
- Chrome Android 124 Released on 2024-04-16
- Edge 124 Released on 2024-04-18
- Firefox 128 Released on 2024-07-09
- Firefox for Android 128 Released on 2024-07-09
- Safari 26 Released on 2025-09-15
- Safari on iOS 26 Released on 2025-09-15
Developer signals
- State of HTML 2025: reading_list/reading_list question
- State of HTML 2024: reading_list/reading_list question
- State of HTML 2024: features/all_features question
- State of HTML 2024: content/content_features question
Usage (according to Chrome Platform Status)
~0.014% of page loads. More data at chromestatus.com.
Web Platform Tests (WPT)
View the latest WPT test results for this featureView as JSON | Edit this feature | Report an issue | Web-features entry: source, dist