@tpmjs/tools-html-sanitize
Sanitize HTML content to prevent XSS (Cross-Site Scripting) attacks. Removes dangerous tags, attributes, and protocols while preserving safe HTML structure. Supports custom allowed tags and attributes configuration.
g.sanitize is not a function
Last checked: 1/1/2026, 1:05:37 AM
Test @tpmjs/tools-html-sanitize (htmlSanitizeTool) with AI-powered execution
0/2000 characters
Install this tool and use it with the AI SDK
npm install @tpmjs/tools-html-sanitizepnpm add @tpmjs/tools-html-sanitizeyarn add @tpmjs/tools-html-sanitizebun add @tpmjs/tools-html-sanitizedeno add npm:@tpmjs/tools-html-sanitizeimport { htmlSanitizeTool } from '@tpmjs/tools-html-sanitize';import { generateText } from 'ai';
import { openai } from '@ai-sdk/openai';
import { htmlSanitizeTool } from '@tpmjs/tools-html-sanitize';
const result = await generateText({
model: openai('gpt-4o'),
tools: { htmlSanitizeTool },
prompt: 'Your prompt here...',
});
console.log(result.text);Available configuration options
htmlstringThe HTML string to sanitize
optionsobjectOptional configuration for allowed tags and attributes
Schema extracted: 1/1/2026, 1:05:36 AM
Sanitize HTML to prevent XSS attacks using isomorphic-dompurify.
npm install @tpmjs/tools-html-sanitize # or pnpm add @tpmjs/tools-html-sanitize # or yarn add @tpmjs/tools-html-sanitize
import { htmlSanitizeTool } from '@tpmjs/tools-html-sanitize'; import { generateText } from 'ai'; const result = await generateText({ model: yourModel, tools: { htmlSanitize: htmlSanitizeTool, }, prompt: 'Sanitize this HTML to make it safe', });
import { htmlSanitizeTool } from '@tpmjs/tools-html-sanitize'; const result = await htmlSanitizeTool.execute({ html: '<p>Safe content</p><script>alert("XSS")</script>', }); console.log(result.sanitized); // <p>Safe content</p> console.log(result); // { // sanitized: '<p>Safe content</p>', // removedCount: 1, // warnings: ['Removed script tags to prevent XSS'] // }
| Parameter | Type | Required | Description |
|---|---|---|---|
html | string | Yes | The HTML string to sanitize |
options | SanitizeOptions | No | Configuration for allowed tags and attributes |
{ allowedTags?: string[]; // Array of allowed HTML tag names allowedAttributes?: Record<string, string[]>; // Tag -> attributes mapping }
{ sanitized: string; // The sanitized HTML removedCount: number; // Number of elements removed warnings: string[]; // Descriptions of what was removed }
const result = await htmlSanitizeTool.execute({ html: '<p onclick="alert(1)">Click me</p><script>alert("XSS")</script>', }); console.log(result.sanitized); // <p>Click me</p> console.log(result.warnings); // ['Removed inline event handlers (onclick, onerror, etc.)', 'Removed script tags to prevent XSS']
const result = await htmlSanitizeTool.execute({ html: '<p>Paragraph</p><div>Div</div><script>alert(1)</script>', options: { allowedTags: ['p'], // Only allow <p> tags }, }); console.log(result.sanitized); // <p>Paragraph</p>Div
const result = await htmlSanitizeTool.execute({ html: '<a href="https://example.com" onclick="alert(1)" data-custom="value">Link</a>', options: { allowedTags: ['a'], allowedAttributes: { 'a': ['href'], // Only allow href attribute on <a> tags }, }, }); console.log(result.sanitized); // <a href="https://example.com">Link</a>
const result = await htmlSanitizeTool.execute({ html: '<a href="javascript:alert(1)">Click</a>', }); console.log(result.sanitized); // <a>Click</a> console.log(result.warnings); // ['Removed javascript: protocol from links']
const result = await htmlSanitizeTool.execute({ html: '<p>Safe</p><iframe src="evil.com"></iframe><embed src="malware.swf">', }); console.log(result.sanitized); // <p>Safe</p> console.log(result.warnings); // ['Removed iframe tags', 'Removed object or embed tags']
const result = await htmlSanitizeTool.execute({ html: '<img src="photo.jpg" alt="Photo" onerror="alert(1)">', }); console.log(result.sanitized); // <img src="photo.jpg" alt="Photo"> console.log(result.warnings); // ['Removed inline event handlers (onclick, onerror, etc.)']
const result = await htmlSanitizeTool.execute({ html: ` <div class="container"> <h1>Title</h1> <p>Safe paragraph</p> <script>alert("XSS")</script> <style>body { display: none; }</style> <a href="javascript:void(0)">Bad link</a> <a href="https://safe.com">Good link</a> </div> `, }); console.log(result.sanitized); // <div class="container"> // <h1>Title</h1> // <p>Safe paragraph</p> // <a>Bad link</a> // <a href="https://safe.com">Good link</a> // </div> console.log(result.removedCount); // 2 console.log(result.warnings); // ['Removed script tags to prevent XSS', 'Removed javascript: protocol from links', 'Removed style tags']
['p', 'br', 'span', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'strong', 'em', 'b', 'i', 'u', 'ul', 'ol', 'li', 'a', 'img', 'blockquote', 'code', 'pre']
{ 'a': ['href', 'title', 'target'], 'img': ['src', 'alt', 'title', 'width', 'height'], '*': ['class', 'id'] // Allowed on all tags }
| Feature | Description |
|---|---|
| Script removal | Removes <script> tags |
| Event handler removal | Removes onclick, onerror, etc. |
| Protocol filtering | Blocks javascript:, unsafe data: |
| iframe removal | Removes <iframe> by default |
| Object/embed removal | Removes <object> and <embed> |
| Style removal | Removes <style> tags by default |
const userComment = '<p>Great post!</p><script>stealCookies()</script>'; const result = await htmlSanitizeTool.execute({ html: userComment }); // Safe to display: <p>Great post!</p>
const result = await htmlSanitizeTool.execute({ html: richTextEditorContent, options: { allowedTags: ['p', 'br', 'strong', 'em', 'u'], allowedAttributes: {}, }, });
const result = await htmlSanitizeTool.execute({ html: markdownConverted, options: { allowedTags: ['p', 'a', 'strong', 'em'], allowedAttributes: { 'a': ['href', 'title'], }, }, });
try { const result = await htmlSanitizeTool.execute({ html: null, // Invalid input }); } catch (error) { console.error(error.message); // "HTML input must be a string" }
MIT
Downloads/month
0
Quality Score