HTML Allowlist for LWS Sanitizer
Here is a list of allowed elements, which are retained in the DOM after sanitization. LWS removes HTML elements that aren’t in this list.
a, abbr, acronym, address, area, article, aside, audio
b, bdi, bdo, big, blockquote, body, br, button
caption, canvas, center, cite, code, col, colgroup, command
datalist, dd, del, details, dfn, dir, div, dl, dt
em
fieldset, figure, figcaption, footer, form
h1, h2, h3, h4, h5, h6, head, header, hgroup, hr
i, iframe, img, input, ins
keygen, kbd
label, legend, li
map, mark, menu, meter
nav
ol, optgroup, option, output
p, pre, progress
q
rp, rt, ruby
s, samp, section, select, small, source, span, strike, strong, style, sub, summary, sup
table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt
u, ul
var, video
wbr
For example, this code contains a <script>
tag, which isn’t allowed.
After sanitization, it becomes: