HTML Allowlist for Lightning Web Security

LWS doesn’t sanitize input text. It only filters HTML strings that components inserted into the DOM. Your code must validate or sanitize any user input.

Here’s a list of allowed HTML elements that are retained in the DOM after sanitization. Lightning Web Security (LWS) removes HTML elements that aren’t in this list.

a, abbr, acronym, address, area, article, aside, audio
b, bdi, bdo, big, blockquote, body, br, button
caption, canvas, center, cite, code, col, colgroup, command
datalist, dd, del, details, dfn, dir, div, dl, dt
em
fieldset, figure, figcaption, footer, form
h1, h2, h3, h4, h5, h6, head, header, hgroup, hr
i, iframe, img, input, ins
keygen, kbd
label, legend, li
map, mark, menu, meter
nav
ol, optgroup, option, output
p, pre, progress
q
rp, rt, ruby
s, samp, section, select, small, source, span, strike, strong, style, sub, summary, sup
table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt
u, ul
var, video
wbr

For example, this code contains a <script> tag, which isn’t allowed.

After sanitization, it becomes: