Unescaped HTML
aura:unescapedHtml
Renders an HTML value as-is, without altering its contents. Use this component to render pre-formatted HTML, for example, where the formatting is arbitrary, or expensive to calculate. The body of this component is ignored, and won’t be rendered. Only use aura:unescapedHtml with trusted or sanitized sources of data.
For Use In
Lightning Experience, Experience Builder Sites, Salesforce Mobile App, Lightning Out (Beta), Standalone Lightning App
aura:unescapedHtml outputs the value as unescaped HTML, which can introduce security vulnerabilities in your code. Use lightning:formattedRichText whenever possible. Alternatively, if you want to display plain text without HTML formatting, use lightning:formattedText instead.
Sanitize user input before rendering it unescaped. Rendering unescaped HTML can expose you to cross-site scripting (XSS) vulnerabilities.
Use the value attribute to pass an HTML string. The string is rendered as-is in the DOM.
This example renders as “Hello world”.
Any markup you place inside <aura:unescapedHtml> is removed. Only the value attribute is rendered.
Only use aura:unescapedHtml when you specifically need the browser to interpret the HTML tags.
A trusted source means the HTML was either generated by your own code or sanitized before being stored or returned.
Trusted sources include:
- HTML returned from Apex that explicitly strips dangerous tags
- Content from Salesforce rich text fields, which the Salesforce Platform sanitizes before storage
- Static strings defined directly in your component or controller
Untrusted sources must be sanitized before use. Untrusted sources include:
- User-entered form input
- URL parameters or query strings
- Responses from third-party APIs
aura:unescapedHtml does not bypass Salesforce’s Content Security Policy (CSP). Inline <script> tags embedded in the value string doesn’t execute. However, CSP does not prevent all attack vectors. Event handler attributes such as onerror or onload can still run JavaScript if the HTML isn’t sanitized.
CSP blocks <script>, but not event handlers such as onerror.
CSP reduces some risk but isn’t a substitute for sanitization.
aura:unescapedHtml passes the string directly to the DOM without modification. Consider these alternatives for your use case.
lightning:formattedTexttreats its value as plain text and escapes HTML characters before rendering.lightning:formattedRichTextrenders rich text from Salesforce fields.
| Scenario | Recommended component | Example input <strong>bold</strong> renders as |
|---|---|---|
| Displaying plain text with no HTML formatting | lightning:formattedText | <strong>bold</strong> (escaped) |
| Displaying rich text stored in a Salesforce field | lightning:formattedRichText | bold (sanitized by the Salesforce Platform) |
| Rendering arbitrary pre-formatted HTML from a trusted or sanitized source | aura:unescapedHtml | bold (rendered as-is) |
- Security for Lightning Components: Lightning Web Security Sanitization
- Security for Lightning Components: Disable Sanitization