cssAudio - Activefile-genericCSS - ActiveGeneric - ActiveHTML - ActiveJS - ActiveSVG - ActiveText - Activefile-genericVideo - ActiveLovehtmlicon-new-collectionicon-personicon-teamlog-outoctocatpop-outspinnerstartv

Pen Settings

CSS Base

Vendor Prefixing

Add External Stylesheets/Pens

Any URL's added here will be added as <link>s in order, and before the CSS in the editor. If you link to another Pen, it will include the CSS from that Pen. If the preprocessor matches, it will attempt to combine them before processing.

+ add another resource

You're using npm packages, so we've auto-selected Babel for you here, which we require to process imports and make it all work. If you need to use a different JavaScript preprocessor, remove the packages in the npm tab.

Add External Scripts/Pens

Any URL's added here will be added as <script>s in order, and run before the JavaScript in the editor. You can use the URL of any other Pen and it will include the JavaScript from that Pen.

+ add another resource

Use npm Packages

We can make npm packages available for you to use in your JavaScript. We use webpack to prepare them and make them available to import. We'll also process your JavaScript with Babel.

⚠️ This feature can only be used by logged in users.

Code Indentation


Save Automatically?

If active, Pens will autosave every 30 seconds after being saved once.

Auto-Updating Preview

If enabled, the preview panel updates automatically as you code. If disabled, use the "Run" button to update.

    <center><h1>HTML Sanitization</h1></center>    
    <div id="demo">
        <label>Input HTML to sanitize</label><br/>
        <textarea id="input" rows="5" cols="50"></textarea>
        <textarea id="output" rows="5" cols="50"></textarea>
      <p><button onclick="sanitize(); return false;">Sanitize!</button></p>
    <div id="explanation">
        This is a demonstration of how to use the Google Caja project's <a href="https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer">HTML sanitizer</a> Javascript function to sanitize third party HTML. It strips style tags, script tags and allows for modification and/or removal of URLs and class/ID values.
              body {
  font-family: Helvetica, Verdana, Arial, Sans-serif; 
  font-size: 18px;
  background-color: #222222;
  color: #F8F8F8;
  max-width: 800px;

a, a:hover, a:active, a:visited {
  color: #19F1FF;

h1 {
  margin-bottom: 20px;
  color: #FFDC00;
  font-size: 24px;
  font-weight: normal;
  text-transform: uppercase;

#demo {
  float: right;
  width: 400px;

#explanation {
  margin-left: 10px;
  margin-right: 450px;

label {
  color: #19F1FF;
  text-transform: uppercase;
  font-size: 14px;

p {
  margin-top: 0px;

button {
  background-image: none;
  background-color: #FFDC00;
  color: #222222;
  border: none;
  font-size: 18px;
  padding: 12px;
              // Takes a URL and either modifies it or strips it by returning null
function urlTransformer(url) { 
  console.log("Transforming URL: %s", url);
  return "http://goodsite.com/goodimage.jpg";

// Takes in an element ID or class name and either modifies it or strips it by returning null
function classIdTransformer(name) {
  console.log("Transforming Class/Id: %s", name);
  if(name !== 'myImage') {
    return name;

// note need to escape the slash in close <script> tag otherwise browser thinks we are closing the script tag codepen puts us in
var defaultHtml = 
    "<style>background-color: red;</style>" +
    "<a style='color:blue' href='javascript:myBadFunction()' onclick='alert(\"Doing something bad\")'>Click me I dare you</a>" +
    "<script src='http://badsite.com/bad.js'></\script>" +
    "<img id='myImage' class='myClass' src='http://www.badsite.com/myimage.jpg'/>";

function sanitize() {
  var html = $("#input").val();
  console.log("HTML is: " + html);
  console.groupCollapsed("Sanitizing input HTML: %s", html);
  var sanitized = html_sanitize(html, urlTransformer, classIdTransformer);

  console.log("Sanitized HTML is: %s", sanitized);


$( document ).ready(function() {
🕑 One or more of the npm packages you are using needs to be built. You're the first person to ever need it! We're building it right now and your preview will start updating again when it's ready.
Loading ..................