ShadowRoot: setHTMLUnsafe() method
Baseline 2024
Newly available
Since July 2024, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The setHTMLUnsafe()
method of the ShadowRoot
interface is used to parse a string of HTML into a DocumentFragment
, which then replaces the element's subtree in the DOM.
The input HTML may include declarative shadow roots.
The suffix "Unsafe" in the method name indicates that the method does not sanitize or remove potentially unsafe XSS-relevant input, such as <script>
elements, and script or event handler content attributes.
If the string of HTML defines more than one declarative shadow root in a particular shadow host then only the first ShadowRoot
is created — subsequent declarations are parsed as <template>
elements within that shadow root.
Note: This method should be used instead of ShadowRoot.innerHTML
when a string of HTML may contain declarative shadow roots.
Syntax
setHTMLUnsafe(html)
Parameters
html
-
A string defining HTML to be parsed.
Return value
None (undefined
).
Exceptions
None.
Specifications
Specification |
---|
HTML Standard # dom-shadowroot-sethtmlunsafe |
Browser compatibility
BCD tables only load in the browser