Aerostack
Aerostack
edit

text-sanitize-html Edge Function — Content

Content

Sanitizes HTML by removing dangerous tags and attributes. Always strips script, style, iframe, form elements, and all event handlers. Keeps only whitelisted tags with whitelisted attributes.

navin @navin verified
Updated Mar 12, 2026
GitHub

Edge function text-sanitize-html Sanitizes HTML by removing dangerous tags and attributes. Always strips script, style, iframe, form elements, and all event handlers. Keeps only whitelisted tags with whitelisted attributes.. Deployed on Cloudflare Workers — zero cold starts, globally distributed. Mount it via your Aerostack workspace to call it from any AI agent.

terminal — aerostack cli
$ npx aerostack add navin/text-sanitize-html
smart_toy

Use with AI Assistants

MCP

Connect Claude, Cursor, or any MCP-compatible client — then call this function by slug

① Add MCP Server

Add this once — access all Aerostack functions from your AI tool.

claude_desktop_config.json 
{
  "mcpServers": {
    "aerostack": {
      "url": "https://mcp.aerostack.dev",
      "type": "http"
    }
  }
}

② Call this function

Ask your AI to use the call_function tool with this slug:

call_function 
call_function({
  slug: "text-sanitize-html",
  args: {
    "html": "example_html",
    "allowTags": null,
    "allowAttributes": null,
    "stripComments": true
  }
})

text-sanitize-html — Sanitize HTML Against XSS

Sanitizes HTML by stripping dangerous tags, event handlers, and unsafe URLs. Keeps only explicitly allowed tags and attributes to prevent XSS attacks.

API

POST /api/text-sanitize-html

Request body

Field Type Required Default Description
html string The HTML string to sanitize
allowTags string[] See below Tags to keep in output
allowAttributes Record<string, string[]> { a: ['href','title','target'] } Allowed attributes per tag
stripComments boolean true Remove HTML comments

Default allowed tags: p, br, strong, em, a, ul, ol, li, code, pre, blockquote, h1h6

Always stripped (regardless of allowTags): script, style, iframe, object, embed, form, input, button

Always stripped attributes: any attribute starting with on (e.g. onclick, onerror, onload)

Always stripped URL schemes: javascript: and data: in href/src attributes

Success response (200)

{
  "success": true,
  "data": {
    "html": "<p>Hello <strong>world</strong>.</p>",
    "strippedTagCount": 3
  }
}

Error responses

Code HTTP When
INVALID_INPUT 400 Missing or invalid html field
INTERNAL_ERROR 500 Unexpected processing error

Usage

cURL
curl -X POST "$FUNCTION_URL/api/text-sanitize-html" \
  -H "Content-Type: application/json" \
  -d '{
    "html": "<p onclick=\"alert(1)\">Hello <script>evil()</script> World</p>",
    "allowTags": ["p", "strong", "em"],
    "allowAttributes": {}
  }'
TypeScript / JavaScript (HTTP)
const response = await fetch(`${FUNCTION_URL}/api/text-sanitize-html`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    html: userProvidedHtml,
    allowTags: ['p', 'strong', 'em', 'a', 'ul', 'ol', 'li'],
    allowAttributes: { a: ['href', 'title'] },
    stripComments: true,
  }),
});
const { data } = await response.json();
console.log(data.html);           // safe HTML
console.log(data.strippedTagCount); // number of removed tags
Direct import (Node / Bun / Deno)
import { sanitizeHtml } from '@aerostack/functions/text-sanitize-html';

const result = sanitizeHtml({
  html: '<div><p>Safe content.</p><script>alert(1)</script></div>',
});
console.log(result.html);           // <p>Safe content.</p>
console.log(result.strippedTagCount); // 3 (div, script, /div)

Use Cases

  • User-generated content: Sanitize comments, forum posts, or profile bios that contain HTML before storing or rendering.
  • AI-generated HTML: Clean up HTML produced by LLMs before injecting it into a web page to ensure no accidental XSS vectors.
  • Email body validation: Strip dangerous elements from HTML emails before storing or forwarding.
  • Rich text editor output: Process output from WYSIWYG editors (TipTap, ProseMirror, Quill) before saving to a database.

Notes

  • script, style, iframe, object, embed, form, input, and button are always removed and cannot be added to allowTags.
  • All on* attributes (e.g. onclick, onerror, onload) are always removed regardless of allowAttributes.
  • javascript: and data: URL schemes in href/src are always removed.
  • Text content inside stripped tags is preserved (e.g. <div>text</div>text). Exception: script and style content is removed entirely.

Metadata

upgrade Version 1.0.0
gavel License MIT
language Language typescript
cloud Provider aerostack

Tags

text

Publisher

navin

@navin verified

deployed_code

Build and publish your own functions

Write a TypeScript function, deploy it to the edge, and share it with thousands of developers — in minutes.

Publish a Function → Read the docs

More Content Functions

Browse Content Functions →
extension

text-extract-emails

by @navin

Extracts all valid email addresses from free-form text using an RFC 5321 compliant pattern. Supports deduplication and preserves order of first appearance.

content
star 1
extension

text-html-to-markdown

by @navin

Converts HTML to Markdown text. Handles headings, bold, italic, links, code, lists, blockquotes, and horizontal rules. Strips all other HTML tags while preserving text content.

content
star 1
extension

text-markdown-to-html

by @navin

Converts Markdown text to HTML with optional sanitization. Supports all common Markdown syntax including headings, bold, italic, code blocks, lists, links, images, and blockquotes.

content
star 1
extension

text-keyword-highlight

by @navin

Highlights keyword occurrences in text by wrapping them in configurable HTML tags. Handles case-insensitive matching, longest-match-first for overlapping keywords, and HTML entity escaping.

content
star 0
extension

text-slug-generate

by @navin

Generates a URL-safe slug from any string. Handles Unicode, accents, and special characters. Zero dependencies.

content
star 0
extension

text-to-camel-case

by @navin

Converts a space-separated, snake_case, kebab-case, or PascalCase string to camelCase. Zero dependencies.

content
star 0

Frequently asked questions

What does the text-sanitize-html function do? +

text-sanitize-html is a serverless edge function for content automation written in aerostack. Deploy it to Cloudflare Workers via your Aerostack workspace.

How do I deploy the text-sanitize-html function? +

Install the Aerostack CLI and run: ```bash aerostack deploy function @navin/text-sanitize-html ``` It will be live on Cloudflare Workers in seconds.

What runtime does text-sanitize-html use? +

text-sanitize-html runs on aerostack on the Cloudflare Workers edge runtime — zero cold starts, globally distributed.

Can I customise the text-sanitize-html function? +

Yes. Fork the function from your Aerostack dashboard, modify the source, and redeploy. All changes are version-controlled.