Lightning Web Security Sanitization

Lightning Web Security (LWS) sanitizes content strings in HTML and SVG elements that your Lightning components inserted into the DOM. LWS examines the strings and removes content that poses a potential security risk. This sanitization process helps protect against cross-site scripting (XSS) attacks.

LWS uses an allowlist of elements and attributes that can remain in the DOM tree after sanitization.

LWS distortions on properties such as innerHTML and setHTML perform sanitization of strings. LWS can apply multiple distortions to some elements.

LWS doesn't sanitize input text. It only filters HTML strings that components inserted into the DOM. Your code must validate or sanitize any user input.

See Also

HTML Allowlist for LWS
SVG Allowlist for LWS
How LWS Sanitizes Static Resources in SVG Elements