Disable Sanitization

By default, the aura:unescapedHTML component sanitizes HTML content when Lightning Web Security is enabled in your org. This sanitization allows safe HTML tags and removes other dangerous elements and attributes.

When you disable sanitization in your org, aura:unescapedHTML renders all HTML content without modification, including tags that sanitization normally removes for security reasons.

Disabling sanitization can expose your org to cross-site scripting (XSS) vulnerabilities if you render untrusted content. Only disable sanitization if you have a specific requirement and understand the security implications.

To disable sanitization when you use aura:unescapedHTML:

  1. From Setup, enter Session in the Quick Find box, and then select Session Settings.
  2. In the Lightning Web Security section, select the Disable sanitization in aura:unescapedHtml component option.
  3. Save your changes.

When sanitization is enabled (default), aura:unescapedHTML removes unsafe elements and attributes.

When you disable sanitization, certain attack vectors become possible and can potentially expose your org to XSS vulnerabilities. Content Security Policy (CSP) provides some protection but it isn’t sufficient to prevent all XSS attacks.

  • Scripts that run directly in script tags
  • Scripts that are embedded in iframe srcdoc attributes
  • Base64-encoded scripts in iframe data URIs
  • Blob URLs that contain runnable JavaScript
  • Image error handlers that run when images fail to load
  • SVG onload events that fire when SVG elements render
  • Input onfocus events that fire automatically with autofocus
  • Mouse events that trigger when users hover over elements
  • Details elements with toggle events that fire when disclosure widgets are opened
  • Video and audio error handlers that run when media fails to load
  • Marquee onstart events that fire when animations begin
  • Anchor tags that use the javascript: protocol in href attributes
  • Iframes that use the javascript: protocol in src attributes
  • Object elements that use the javascript: protocol in data-* attributes
  • Meta elements with the http-equiv tag set to refresh and redirect to javascript: URLs
  • Iframe onload events that run in the parent context when frames load
  • Nested iframes that attempt to bypass simple content filters
  • Iframe target injection where named iframes are targets
  • SVG elements with event handlers that are embedded inside iframes
  • Style tags that attempt to run JavaScript through URL expressions
  • Hidden iframes that use CSS to conceal malicious content from users
  • HTML entity encoding that obfuscates javascript: protocols and bypasses detection
  • Polyglot or malformed tags that browsers attempt to fix during parsing
  • XML or XSLT content that embeds scripts via stylesheets
  • PostMessage injection that uses cross-frame communication to run code

These attack vectors are blocked when sanitization is enabled. Disabling sanitization makes your application vulnerable to XSS attacks if your component renders untrusted content.

Consider disabling sanitization only when:

  • You want to render complex HTML that includes interactive elements or embedded scripts
  • The HTML content comes from trusted sources that you fully control
  • You have implemented security measures to validate and sanitize content before rendering
  • Your use case requires functionality that’s blocked by sanitization

See Also