Unsanitized HTML parsing methods
Newly available since 2024-07-09
The Document.parseHTMLUnsafe() static method parses HTML into a DOM tree, while the setHTMLUnsafe() method of Element and ShadowRoot parses and inserts HTML into an existing tree. No sanitization applies to these methods, so never call them with user-provided HTML strings.
To learn more, see
Document: parseHTMLUnsafe() static method,
Element: setHTMLUnsafe() method,
ShadowRoot: setHTMLUnsafe() method at MDN.
Compatibility
- Chrome 124 Released on 2024-04-16
- Chrome Android 124 Released on 2024-04-16
- Edge 124 Released on 2024-04-18
- Firefox 128 Released on 2024-07-09
- Firefox for Android 128 Released on 2024-07-09
- Safari 17.4 Released on 2024-03-05
- Safari on iOS 17.4 Released on 2024-03-05
Specifications
- HTML Standard (#unsafe-html-parsing-methods), from HTML Workstream (WHATWG).