Lucee Function Reference

sanitizehtml()

Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc.
See also https://github.com/OWASP/java-html-sanitizer

Example

sanitizehtml(string string,[any policy]):string

Category

ESAPI,HTML

Arguments

The arguments for this function are set. You can not use other arguments except the following ones.
Name Type Required Description
string string  Yes string to sanitize  
policy any  No Either a org.owasp.html.PolicyFactory or a String with built in Sanitizers. If omitted then
all of the built-in policies are applied. The built in Sanitizers are:
  • FORMATTING
  • BLOCKS
  • STYLES
  • LINKS
  • TABLES
  • IMAGES