Pen Settings



CSS Base

Vendor Prefixing

Add External Stylesheets/Pens

Any URLs added here will be added as <link>s in order, and before the CSS in the editor. You can use the CSS from another Pen by using its URL and the proper URL extension.

+ add another resource


Babel includes JSX processing.

Add External Scripts/Pens

Any URL's added here will be added as <script>s in order, and run before the JavaScript in the editor. You can use the URL of any other Pen and it will include the JavaScript from that Pen.

+ add another resource


Add Packages

Search for and use JavaScript packages from npm here. By selecting a package, an import statement will be added to the top of the JavaScript editor for this package.


Auto Save

If active, Pens will autosave every 30 seconds after being saved once.

Auto-Updating Preview

If enabled, the preview panel updates automatically as you code. If disabled, use the "Run" button to update.

Format on Save

If enabled, your code will be formatted when you actively save your Pen. Note: your code becomes un-folded during formatting.

Editor Settings

Code Indentation

Want to change your Syntax Highlighting theme, Fonts and more?

Visit your global Editor Settings.


                <div id="app"></div>




 * Sanitize an HTML string
 * (c) 2021 Chris Ferdinandi, MIT License,
 * @param  {String}          str   The HTML string to sanitize
 * @param  {Boolean}         nodes If true, returns HTML nodes instead of a string
 * @return {String|NodeList}       The sanitized string or nodes
function cleanHTML (str, nodes) {

	 * Convert the string to an HTML document
	 * @return {Node} An HTML document
	function stringToHTML () {
		let parser = new DOMParser();
		let doc = parser.parseFromString(str, 'text/html');
		return doc.body || document.createElement('body');

	 * Remove <script> elements
	 * @param  {Node} html The HTML
	function removeScripts (html) {
		let scripts = html.querySelectorAll('script');
		for (let script of scripts) {

	 * Check if the attribute is potentially dangerous
	 * @param  {String}  name  The attribute name
	 * @param  {String}  value The attribute value
	 * @return {Boolean}       If true, the attribute is potentially dangerous
	function isPossiblyDangerous (name, value) {
		let val = value.replace(/\s+/g, '').toLowerCase();
		if (['src', 'href', 'xlink:href'].includes(name)) {
			if (val.includes('javascript:') || val.includes('data:text/html')) return true;
		if (name.startsWith('on')) return true;

	 * Remove potentially dangerous attributes from an element
	 * @param  {Node} elem The element
	function removeAttributes (elem) {

		// Loop through each attribute
		// If it's dangerous, remove it
		let atts = elem.attributes;
		for (let {name, value} of atts) {
			if (!isPossiblyDangerous(name, value)) continue;


	 * Remove dangerous stuff from the HTML document's nodes
	 * @param  {Node} html The HTML document
	function clean (html) {
		let nodes = html.children;
		for (let node of nodes) {

	// Convert the string to HTML
	let html = stringToHTML();

	// Sanitize it

	// If the user wants HTML nodes back, return them
	// Otherwise, pass a sanitized string back
	return nodes ? html.childNodes : html.innerHTML;


// Get the element to inject into
var app = document.querySelector('#app');

// Malicious third-party code
let thirdPartyString = `<img src=x onerror="alert('XSS Attack')">`;
let thirdPartyURL = `javascript:alert('Another XSS Attack')`;

// Create an HTML string
let htmlStr =
	<p><a href="${thirdPartyURL}">View My Profile</a></p>`;

// app.innerHTML = cleanHTML(htmlStr);
app.append(...cleanHTML(htmlStr, true));