The HTML Sanitizer API

May 14, 2026

Ahmad Alfy walks through the new browser-native API that prevents XSS without DOMPurify. Safe methods setHTML and parseHTML always strip dangerous content, while setHTMLUnsafe and parseHTMLUnsafe respect your configuration. Allow-lists and block-lists give fine-grained control over elements and attributes. Great for comment sections, WYSIWYG editors, and markdown previews, though backend sanitization stays essential.

alfy.blog/2026/05/07/html-sanitizer-api.html

Tags api html js security

May 13
Soon we can finally banish JavaScript to the ShadowRealm
A look at the TC39 ShadowRealm proposal for isolating JavaScript in clean execution contexts.
April 30
The web is fun again: first experiments with HTML in <canvas>
An experimental Chrome API that draws real HTML into <canvas>, with pixel and shader effects.
April 27
The end of responsive images
How sizes="auto" with loading="lazy" lets browsers handle most responsive images.
April 24
Your options for preloading images with JavaScript
Five approaches compared with their caching and CORS trade-offs.
April 20
Fully local code embeds
A web component for isolated code sandboxes without third-party embeds.
April 13
Progressive web components
An HTML-and-CSS-first library for building web components that hydrate with JS.
April 7
Getting your article shared: tips from ten years of newsletter curation
Practical advice on OG tags, sharing images, titles, blurbs, and canonical URLs.
April 2
Squarespace and web standards: how we helped bring HTML video and audio lazy loading to today’s browsers
How Squarespace engineers contributed lazy loading for video and audio to the web platform.