sanitize-html

HTML sanitization library that removes potentially dangerous HTML to prevent XSS attacks. Whitelist-based approach: specify allowed tags (a, b, i, p, etc.), allowed attributes per tag, and allowed URL protocols. Strips everything else. Used in CMSes, comment systems, rich text editors, and anywhere user-submitted HTML must be safely rendered. Maintained by Apostrophe CMS team.

Evaluated Mar 06, 2026 (0d ago) v2.x

Homepage ↗ Repo ↗ Developer Tools xss sanitize html security node browser typescript cms

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

100

🔒 Security

TLS Enforcement

100

Auth Strength

100

Scope Granularity

100

Dep. Hygiene

Secret Handling

100

Purpose-built XSS prevention. Conservative defaults require explicit allowlist. Regular security releases. htmlparser2-based — not using real DOM parser (use DOMPurify client-side for better accuracy).

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need to allow a safe subset of HTML from user-submitted content while preventing XSS in a Node.js application.

Avoid When

You need browser-only client-side sanitization (use DOMPurify which uses the real DOM parser), or need to strip ALL HTML (use a regex or strip-tags).

Use Cases

• Sanitize user-submitted rich text HTML before storing and rendering in web applications to prevent XSS
• Allow a subset of safe HTML tags in comment systems (b, i, a, ul, li) while stripping scripts and event handlers
• Sanitize HTML from rich text editors (Quill, TipTap, ProseMirror) before server-side storage
• Process HTML content from external sources (RSS feeds, web scraping) to remove malicious scripts
• Implement safe HTML preview for markdown-with-HTML content in agent-generated content pipelines

Not For

• Markdown rendering — sanitize-html processes HTML not Markdown; use marked + sanitize-html together
• Text-only content — if you don't need HTML, strip it entirely with a simpler solution
• Client-side sanitization as the only defense — always sanitize server-side; client-side sanitization alone is bypassable

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No authentication — sanitization utility library.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Fully free, MIT licensed.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ Whitelist-based: only explicitly allowed tags and attributes pass through — the default config is conservative; customize allowedTags and allowedAttributes for your rich text requirements
⚠ Data URIs in href/src: allowedSchemes restricts URL protocols — data: scheme is blocked by default; never allow data: in href or it enables data URI XSS
⚠ transformTags option can process allowed tags but must return proper structure — incorrect transform return values may pass unsafe content
⚠ allowedClasses for specific class values on tags — don't allow arbitrary class attributes from user input as classes can be used for CSS injection in styled environments
⚠ Self-closing tags behavior differs — void elements (br, img) handled correctly, but ensure your HTML structure expectations match sanitize-html's output format
⚠ Browser-side: sanitize-html works in browsers but DOMPurify is preferred client-side as it uses the real HTML parser (more accurate than htmlparser2)

Alternatives

dompurify-api isomorphic-dompurify-api xss-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for sanitize-html.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.