Clean HTML Plugin
- Description
- Features
- cleanHTML.timeout
- cleanHTML.replaceNBSP
- cleanHTML.fillEmptyParagraph
- cleanHTML.removeEmptyElements
- cleanHTML.replaceOldTags
- cleanHTML.useIframeSandbox
- cleanHTML.removeOnError
- cleanHTML.safeJavaScriptLink
- cleanHTML.allowTags
- cleanHTML.denyTags
- cleanHTML.disableCleanFilter
- Basic XSS Protection
- Strict Whitelisting
- Allow Specific Attributes
- Eraser Button (Remove Formatting)
- Priority: allowTags vs denyTags
- Button
- Notes
- Classes
Automatically cleans and sanitizes HTML content to prevent XSS attacks and unwanted markup. Provides tag/attribute filtering, format removal, and HTML normalization.
Description
This plugin continuously monitors and cleans HTML content in the editor. It removes dangerous scripts, normalizes markup, and enforces tag/attribute restrictions. Also adds an "Eraser" button for removing formatting from selected text.
Features
- XSS Protection: Removes dangerous scripts and event handlers
- Tag Filtering: Allow/deny specific HTML tags
- Attribute Control: Control which attributes are permitted
- Format Removal: "Eraser" button to clear formatting
- Auto-cleaning: Cleans HTML on change, paste, and mode switch
- Tag Normalization: Replace old tags (
<i>
→<em>
,<b>
→<strong>
) - Empty Element Removal: Removes unnecessary empty tags
- Sandbox Mode: Optional iframe sandbox for extra security
cleanHTML.timeout
- Type:
number
- Default:
300
- Description: Delay (ms) before applying cleaning after changes
const editor = Jodit.make('#editor', {
cleanHTML: {
timeout: 500 // Clean after 500ms of inactivity
}
});
cleanHTML.replaceNBSP
- Type:
boolean
- Default:
true
- Description: Replace
with regular spaces
const editor = Jodit.make('#editor', {
cleanHTML: {
replaceNBSP: false // Keep non-breaking spaces
}
});
cleanHTML.fillEmptyParagraph
- Type:
boolean
- Default:
true
- Description: Remove empty
<p>
tags (except at start)
cleanHTML.removeEmptyElements
- Type:
boolean
- Default:
true
- Description: Remove all empty elements
cleanHTML.replaceOldTags
- Type:
IDictionary<HTMLTagNames> | false
- Default:
{ i: 'em', b: 'strong' }
- Description: Replace deprecated tags with modern equivalents
const editor = Jodit.make('#editor', {
cleanHTML: {
replaceOldTags: {
i: 'em',
b: 'strong',
strike: 's'
}
}
});
cleanHTML.useIframeSandbox
- Type:
boolean
- Default:
false
- Description: Use iframe sandbox for safer HTML testing (slower)
const editor = Jodit.make('#editor', {
cleanHTML: {
useIframeSandbox: true // Extra security, reduced performance
}
});
cleanHTML.removeOnError
- Type:
boolean
- Default:
true
- Description: Remove
onerror
attributes from tags
cleanHTML.safeJavaScriptLink
- Type:
boolean
- Default:
true
- Description: Sanitize
javascript:
URLs inhref
attributes
cleanHTML.allowTags
- Type:
false | string | IDictionary<string>
- Default:
false
- Description: Explicitly allowed tags and attributes
For instance, you can explicitly define which tags or attributes are allowed or disallowed:
Jodit.make('#editor', {
cleanHTML: {
allowTags: {
p: true,
a: {
href: true
},
table: true,
tbody: true,
tr: true,
td: true,
th: false,
img: {
src: '1.png'
}
}
}
});
You can also disable specific tags. For example, let's disable script tags and images:
Jodit.make('#editor', {
cleanHTML: {
denyTags: 'script,img'
}
});
Alternatively, you can use an object to specify the denied tags:
Jodit.make('#editor', {
cleanHTML: {
denyTags: {
script: true,
img: true
}
}
});
The plugin settings can be accessed under the namespace Config.cleanHTML.
String format:
const editor = Jodit.make('#editor', {
cleanHTML: {
allowTags: 'p,a[href],table,tr,td,img[src=1.png]'
// Allow only <p>, <a>, <table>, <tr>, <td>, <img>
// For <a>: only href attribute
// For <img>: only src="1.png"
}
});
cleanHTML.denyTags
- Type:
false | string | IDictionary<string>
- Default:
'script'
- Description: Explicitly denied tags
String format:
const editor = Jodit.make('#editor', {
cleanHTML: {
denyTags: 'script,img'
}
});
Object format:
const editor = Jodit.make('#editor', {
cleanHTML: {
denyTags: {
script: true,
img: true
}
}
});
cleanHTML.disableCleanFilter
- Type:
Nullable<Set<string>>
- Default:
null
- Description: Disable specific cleaning filters
Basic XSS Protection
const editor = Jodit.make('#editor', {
cleanHTML: {
denyTags: 'script,iframe',
removeOnError: true,
safeJavaScriptLink: true
}
});
Strict Whitelisting
const editor = Jodit.make('#editor', {
cleanHTML: {
allowTags: {
p: true,
strong: true,
em: true,
a: {
href: true,
target: '_blank' // Only allow target="_blank"
}
}
}
});
editor.value = '<p>Hello <strong>world</strong> <script>alert(1)</script></p>';
console.log(editor.value); // <p>Hello <strong>world</strong> </p>
Allow Specific Attributes
const editor = Jodit.make('#editor', {
cleanHTML: {
allowTags: {
img: {
src: true,
alt: true,
width: true,
height: true
},
a: {
href: true
}
}
}
});
Eraser Button (Remove Formatting)
The plugin adds an "eraser" button to the toolbar:
const editor = Jodit.make('#editor');
// User clicks eraser button or uses:
editor.execCommand('removeFormat');
Priority: allowTags vs denyTags
Important: allowTags
takes priority over denyTags
. If allowTags
is set, all tags not in the whitelist are removed.
const editor = Jodit.make('#editor', {
cleanHTML: {
allowTags: {
script: true,
},
denyTags: {
script: true, // This is ignored!
}
}
});
editor.value = '<script>alert(1)</script><p>test</p>';
console.log(editor.value); // <script>alert(1)</script>
// Only script tag is allowed, <p> is removed
Button
- Name:
eraser
- Group:
font-style
- Command:
removeFormat
- Tooltip: "Clear Formatting"
Notes
- Plugin runs continuously with lazy evaluation (
LazyWalker
) - Cleaning is throttled by
timeout
option - Uses visitor pattern for extensible filtering rules
- Filters can be found in
helpers/visitor/filters/
- Essential for security in user-generated content scenarios