Unsanitized HTML parsing methods
The Document.parseHTMLUnsafe()
static method parses HTML into a DOM tree, while the setHTMLUnsafe()
method of Element
and ShadowRoot
parses and inserts HTML into an existing tree. No sanitization applies to these methods, so never call them with user-provided HTML strings.
Status
Limited availability
MDN documentation
Specifications
- HTML (#unsafe-html-parsing-methods), from HTML Workstream (WHATWG).
Browser support
- Chrome 124 Released on 2024-04-16
- Chrome Android 124 Released on 2024-04-16
- Edge 124 Released on 2024-04-18
- Firefox 128 Released on 2024-07-09
- Firefox for Android 128 Released on 2024-07-09
- Safari ❌
- Safari on iOS ❌
Baseline availability blocked since July 2024 by Safari (13 months)
Developer signals
- State of HTML 2024: features/all_features question
- State of HTML 2024: content/content_features question
Usage (according to Chrome Platform Status)
~0.010% of page loads. More data at chromestatus.
Web Platform Tests (WPT)
View the latest WPT test results for this featureView as JSON | Edit this feature | Report an issue | Web-features entry: source, dist