Skip to content
POST AI agent ready /v1/html-sanitize

HTML Sanitizer API - Strip XSS & Dangerous Tags

Strips unsafe HTML elements like script, iframe, and object tags, along with event handler attributes (onclick, onerror). You can optionally pass an allowedTags list to control exactly which tags are permitted in the output.

Parameters

stringrequired

The HTML content to sanitize.

array

Whitelist of HTML tag names to allow. Tags not in this list are removed. If omitted, a safe default set is used.

Code examples

curl -X POST https://api.botoi.com/v1/html-sanitize \
  -H "Content-Type: application/json" \
  -d '{"html":"<p>Hello</p><script>alert(\"xss\")</script><img onerror=\"steal()\" src=\"x\">","allowedTags":"p,b,i,a,ul,ol,li,br,strong,em"}'

When to use this API

Sanitize rich text editor output before storage

Clean HTML from WYSIWYG editors (TinyMCE, Quill, ProseMirror) before saving to your database to prevent stored XSS attacks.

Clean HTML in RSS feed aggregators

Sanitize HTML content from external RSS feeds before rendering it in your app so malicious markup cannot execute.

Process user-submitted HTML in comments

Allow users to format comments with basic HTML (bold, italic, links) while stripping scripts and unsafe attributes.

Frequently asked questions

What tags are allowed by default?
The default allowlist includes common formatting tags: p, b, i, strong, em, a, ul, ol, li, br, h1-h6, blockquote, pre, code, img, and table elements.
Are data attributes removed?
Yes. Custom data-* attributes are stripped by default since they can carry payloads for XSS attacks. Only standard safe attributes are preserved.
Does this handle CSS-based attacks?
Yes. Inline style attributes containing expressions, url(), or behavior directives are removed.
Is the output guaranteed to be XSS-safe?
The sanitizer follows the OWASP XSS prevention rules and strips all known attack vectors. Combined with Content Security Policy headers, it provides strong XSS protection.
Can I allow iframes for embedded videos?
Yes. Add "iframe" to the allowedTags array. Pair this with a domain allowlist on your server to restrict iframe sources to trusted providers like YouTube or Vimeo.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs