@woocommerce/sanitize

WooCommerce HTML sanitization utilities using DOMPurify with trusted types support.

Features

- Secure HTML Sanitization: Uses DOMPurify to sanitize HTML content
- Trusted Types Support: Automatically configures trusted types policy to avoid conflicts
- Configurable: Supports custom allowed tags and attributes
- TypeScript Support: Full TypeScript definitions included

Usage

$3

``typescript import { sanitizeHTML } from '@woocommerce/sanitize';

const cleanHTML = sanitizeHTML('

Hello World!

');
// Returns: 'Hello World!
'

$3

`javascript import { sanitizeHTML } from '@woocommerce/sanitize';

function MyComponent( { content } ) { const sanitizedContent = { __html: sanitizeHTML( content ) }; return (


  );
}

$3

`javascript import { sanitizeHTML } from '@woocommerce/sanitize';

const customSanitized = sanitizeHTML( html, { tags: ['p', 'br', 'strong'], attr: ['class', 'id'] } );`

`$3`

By default, sanitizeHTML returns a string. You can opt into other DOMPurify return modes with the returnType option:

`ts import { sanitizeHTML } from '@woocommerce/sanitize';

// Return an HTMLBodyElement const bodyEl = sanitizeHTML('

Hi

', { returnType: 'HTMLBodyElement' });
// Return a DocumentFragment
const fragment = sanitizeHTML('
Hi
', { returnType: 'DocumentFragment' });


Trusted Types

This package automatically configures a trusted types policy named woocommerce-sanitize to avoid conflicts with DOMPurify's default policy. The policy is initialized when the module is loaded.

`ts import { getTrustedTypesPolicy } from '@woocommerce/sanitize';

const policy = getTrustedTypesPolicy(); if (policy) { const trustedHTML = policy.createHTML('

Content

');
  element.innerHTML = trustedHTML; // Safe in Trusted Types environments
}

The policy automatically sanitizes HTML using the same rules as sanitizeHTML()`.