← 返回首页
Document: parseHTML() static method - Web APIs | MDN
HTML

HTML: Markup language

HTML reference HTML guides Markup languages
CSS

CSS: Styling language

CSS reference CSS guides Layout cookbook
JavaScriptJS

JavaScript: Scripting language

JS reference JS guides
Web APIs

Web APIs: Programming interfaces

Web API reference Web API guides
All

All web technology

Technologies Topics
Learn

Learn web development

Frontend developer course Learn HTML Learn CSS Learn JavaScript
Tools

Discover our tools

About

Get to know MDN better

Blog
Toggle sidebar
  1. Web
  2. Web APIs
  3. Document
  4. parseHTML()
Theme
  • OS default
  • Light
  • Dark
English (US)
Remember language Learn more

Document: parseHTML() static method

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The parseHTML() static method of the Document object provides an XSS-safe method to parse and sanitize a string of HTML in order to create a new Document instance.

In this article

Syntax

js
Document.parseHTML(input) Document.parseHTML(input, options)

Parameters

input

A string defining HTML to be sanitized and injected into the shadow root.

options Optional

An options object with the following optional parameters:

sanitizer

A Sanitizer or SanitizerConfig object which defines what elements of the input will be allowed or removed, or the string "default" for the default sanitizer configuration. The method will remove any XSS-unsafe elements and attributes, even if allowed by the sanitizer. If not specified, the default Sanitizer configuration is used.

Note that if you're using the same configuration multiple times, it's expected to be more efficient to use a Sanitizer and modify it when you need to.

Return value

A Document.

Exceptions

TypeError

This is thrown if options.sanitizer is passed a:

  • SanitizerConfig that isn't valid. For example, a configuration that includes both "allowed" and "removed" configuration settings.
  • string that does not have the value "default".
  • value that is not a Sanitizer, SanitizerConfig, or string.

Description

The parseHTML() method parses and sanitize a string of HTML in order to create a new Document instance that is XSS-safe. The resulting Document will have a content type of "text/html", a character set of UTF-8, and a URL of "about:blank".

If no sanitizer is specified in the options.sanitizer parameter, parseHTML() is used with the default sanitizer configuration. This configuration is suitable for the majority of use cases as it prevents XSS attacks, as well as other attacks like clickjacking or spoofing.

A custom Sanitizer or SanitizerConfig can be specified to choose which elements, attributes, and comments are allowed or removed. Note that even if unsafe options are allowed by the sanitizer, they will still be removed when using this method (it removes the same elements as a sanitizer on which Sanitizer.removeUnsafe() has been called).

The input HTML may include declarative shadow roots. If the string of HTML defines more than one declarative shadow root in a particular shadow host then only the first ShadowRoot is created — subsequent declarations are parsed as <template> elements within that shadow root.

parseHTML() should be used instead of Document.parseHTMLUnsafe(), unless there is a specific need to allow unsafe elements and attributes. If the HTML to be parsed doesn't need to contain unsafe HTML entities, then you should use Document.parseHTML().

Note that since this method always sanitizes input strings of XSS-unsafe entities, it is not secured or validated using the Trusted Types API.

Specifications

Specification
HTML Sanitizer API
# dom-document-parsehtml

Browser compatibility

Enable JavaScript to view this browser compatibility table.

See also

Help improve MDN

Was this page helpful to you?
Yes No
Learn how to contribute

This page was last modified on Mar 13, 2026 by MDN contributors.

View this page on GitHubReport a problem with this content
  1. Document Object Model (DOM)
  2. Document
  3. Constructor
    1. Document()
  4. Instance properties
    1. activeElement
    2. activeViewTransition
    3. adoptedStyleSheets
    4. alinkColor
    5. all
    6. anchors
    7. applets
    8. bgColor
    9. body
    10. characterSet
    11. childElementCount
    12. children
    13. compatMode
    14. contentType
    15. cookie
    16. currentScript
    17. customElementRegistry
    18. defaultView
    19. designMode
    20. dir
    21. doctype
    22. documentElement
    23. documentURI
    24. domain
    25. embeds
    26. featurePolicy
    27. fgColor
    28. firstElementChild
    29. fonts
    30. forms
    31. fragmentDirective
    32. fullscreen
    33. fullscreenElement
    34. fullscreenEnabled
    35. head
    36. hidden
    37. images
    38. implementation
    39. lastElementChild
    40. lastModified
    41. lastStyleSheetSet
    42. linkColor
    43. links
    44. location
    45. pictureInPictureElement
    46. pictureInPictureEnabled
    47. plugins
    48. pointerLockElement
    49. preferredStyleSheetSet
    50. prerendering
    51. readyState
    52. referrer
    53. rootElement
    54. scripts
    55. scrollingElement
    56. selectedStyleSheetSet
    57. styleSheets
    58. styleSheetSets
    59. timeline
    60. title
    61. URL
    62. visibilityState
    63. vlinkColor
    64. xmlEncoding
    65. xmlVersion
  5. Static methods
    1. parseHTML()
    2. parseHTMLUnsafe()
  6. Instance methods
    1. adoptNode()
    2. append()
    3. ariaNotify()
    4. browsingTopics()
    5. caretPositionFromPoint()
    6. caretRangeFromPoint()
    7. clear()
    8. close()
    9. createAttribute()
    10. createAttributeNS()
    11. createCDATASection()
    12. createComment()
    13. createDocumentFragment()
    14. createElement()
    15. createElementNS()
    16. createEvent()
    17. createExpression()
    18. createNodeIterator()
    19. createNSResolver()
    20. createProcessingInstruction()
    21. createRange()
    22. createTextNode()
    23. createTouch()
    24. createTouchList()
    25. createTreeWalker()
    26. elementFromPoint()
    27. elementsFromPoint()
    28. enableStyleSheetsForSet()
    29. evaluate()
    30. execCommand()
    31. exitFullscreen()
    32. exitPictureInPicture()
    33. exitPointerLock()
    34. getAnimations()
    35. getElementById()
    36. getElementsByClassName()
    37. getElementsByName()
    38. getElementsByTagName()
    39. getElementsByTagNameNS()
    40. getSelection()
    41. hasFocus()
    42. hasPrivateToken()
    43. hasRedemptionRecord()
    44. hasStorageAccess()
    45. hasUnpartitionedCookieAccess()
    46. importNode()
    47. moveBefore()
    48. mozSetImageElement()
    49. open()
    50. prepend()
    51. queryCommandEnabled()
    52. queryCommandState()
    53. queryCommandSupported()
    54. querySelector()
    55. querySelectorAll()
    56. releaseCapture()
    57. replaceChildren()
    58. requestStorageAccess()
    59. requestStorageAccessFor()
    60. startViewTransition()
    61. write()
    62. writeln()
  7. Events
    1. afterscriptexecute
    2. beforescriptexecute
    3. DOMContentLoaded
    4. fullscreenchange
    5. fullscreenerror
    6. pointerlockchange
    7. pointerlockerror
    8. prerenderingchange
    9. readystatechange
    10. scroll
    11. scrollend
    12. scrollsnapchange
    13. scrollsnapchanging
    14. securitypolicyviolation
    15. selectionchange
    16. visibilitychange
  8. Inheritance
    1. Node
    2. EventTarget
  9. Related pages for DOM
    1. AbortController
    2. AbortSignal
    3. AbstractRange
    4. Attr
    5. CDATASection
    6. CharacterData
    7. Comment
    8. CustomEvent
    9. DOMError
    10. DOMException
    11. DOMImplementation
    12. DOMParser
    13. DOMTokenList
    14. DocumentFragment
    15. DocumentType
    16. Element
    17. Event
    18. EventTarget
    19. HTMLCollection
    20. MutationObserver
    21. MutationRecord
    22. NamedNodeMap
    23. Node
    24. NodeIterator
    25. NodeList
    26. ProcessingInstruction
    27. QuotaExceededError
    28. Range
    29. ShadowRoot
    30. StaticRange
    31. Text
    32. TreeWalker
    33. XMLDocument
    34. XPathEvaluator
    35. XPathExpression
    36. XPathResult
    37. XSLTProcessor
  10. Guides
    1. Anatomy of the DOM
    2. Attribute reflection
    3. Selection and traversal on the DOM tree
    4. Building and updating the DOM tree
    5. Working with events

Your blueprint for a better internet.

MDN Contribute Developers

Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2026 by individual mozilla.org contributors. Content available under a Creative Commons license.