v-sanitize-html
Render an HTML string as sanitized markup — a safe drop-in for v-html. It strips script tags, event-handler attributes (onclick, onerror, …), and javascript: URLs before setting the content, so user-supplied HTML can't run scripts.
It sanitizes in the browser (on mount and update), so it is safe to use during server-side rendering.
Import
ts
import vSanitizeHtml from '@leaflink/stash-vue/directives/sanitizeHtml';Basic usage
vue
<div v-sanitize-html="dirtyHtml"></div>Tightening the allowlist
Pass an object to restrict the tags or attributes for a single use site. options is a DOMPurify config:
vue
<div v-sanitize-html="{ html: dirtyHtml, options: { ALLOWED_TAGS: ['b', 'i'] } }"></div>