setHTML() method of the
Element interface is used to parse and sanitize a string of HTML and then insert it into the DOM as a subtree of the element. It should be used instead of
Element.innerHTML for inserting untrusted strings of HTML into an element.
The parsing process drops any elements in the HTML string that are invalid in the context of the current element, while sanitizing removes any unsafe or otherwise unwanted elements, attributes or comments. The default
Sanitizer() configuration strips out XSS-relevant input by default, including
<script> tags, custom elements, and comments. The sanitizer configuration may be customized using
Sanitizer() constructor options.
Sanitizer.sanitizeFor() instead of this method if the string must be inserted into the DOM at a later point, for example if the target element is not yet available.