Project: rehypejs/rehype-sanitize

Package: rehype-sanitize@5.0.0

  1. Dependents: 33
  2. rehype plugin to sanitize HTML
  1. unified 174
  2. plugin 137
  3. html 121
  4. rehype 85
  5. rehype-plugin 60
  6. clean 6
  7. sanitize 3
  8. xss 2


Build Coverage Downloads Size Sponsors Backers Chat

rehype plugin to sanitize HTML.


This package is ESM only: Node 12+ is needed to use it and it must be imported instead of required.


npm install rehype-sanitize


Say we have the following file, index.html:

<div onmouseover="alert('alpha')">
  <a href="jAva script:alert('bravo')">delta</a>
  <img src="x" onerror="alert('charlie')">
  <iframe src="javascript:alert('delta')"></iframe>
    <mi xlink:href="data:x,<script>alert('echo')</script>"></mi>
require('child_process').spawn('rm', ['-r', '-f', process.env.HOME]);

And our module, example.js, looks as follows:

import fs from 'node:fs'
import {rehype} from 'rehype'
import deepmerge from 'deepmerge'
import rehypeSanitize, {defaultSchema} from 'rehype-sanitize'

const schema = deepmerge(defaultSchema, {tagNames: ['math', 'mi']})
const buf = fs.readFileSync('index.html')

  .data('settings', {fragment: true})
  .use(rehypeSanitize, schema)
  .then((file) => {

Now, running node example yields:

  <img src="x">



This package exports the following identifiers: defaultSchema. The default export is rehypeSanitize.

unified().use(rehypeSanitize[, schema])

Remove potentially dangerous things from HTML, or more correct: keep only the safe things in a document.


The sanitation schema defines how and if nodes and properties should be cleaned. The schema is documented in hast-util-sanitize. The default schema is exported as defaultSchema.


Improper use of rehype-sanitize can open you up to a cross-site scripting (XSS) attack. The defaults are safe, but deviating from them is likely unsafe.

Use rehype-sanitize after all other plugins, as other plugins are likely also unsafe.


See contributing.md in rehypejs/.github for ways to get started. See support.md for ways to get help.

This project has a code of conduct. By interacting with this repository, organization, or community you agree to abide by its terms.


MIT © Titus Wormer