HTML Allowlist for LWS Sanitizer

Here is a list of allowed elements, which are retained in the DOM after sanitization. LWS removes HTML elements that aren’t in this list.

  • a, abbr, acronym, address, area, article, aside, audio
  • b, bdi, bdo, big, blockquote, body, br, button
  • caption, canvas, center, cite, code, col, colgroup, command
  • datalist, dd, del, details, dfn, dir, div, dl, dt
  • em
  • fieldset, figure, figcaption, footer, form
  • h1, h2, h3, h4, h5, h6, head, header, hgroup, hr
  • i, iframe, img, input, ins
  • keygen, kbd
  • label, legend, li
  • map, mark, menu, meter
  • nav
  • ol, optgroup, option, output
  • p, pre, progress
  • q
  • rp, rt, ruby
  • s, samp, section, select, small, source, span, strike, strong, style, sub, summary, sup
  • table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt
  • u, ul
  • var, video
  • wbr

For example, this code contains a <script> tag, which isn’t allowed.

After sanitization, it becomes: