web-feature: Unsanitized HTML parsing methods

baseline logo Widely available

The Document.parseHTMLUnsafe() static method parses HTML into a DOM tree, while the setHTMLUnsafe() method of Element and ShadowRoot parses and inserts HTML into an existing tree. No sanitization applies to these methods, so never call them with user-provided HTML strings.

WKWebView

macOS

*

iOS

*

Android WebView

Android

*

WebView2

Windows

*

WPE MiniBrowser

Linux

2026-04

Servo

Android

2026-04

Chrome Browser

Android

124

Safari Browser

iOS

26

Notes

Support data provided by: BCD logo

Know something we don't?

Is any of the above data outdated? Or do you want to add a new WebView to the list? Heads on to GitHub and edit the data file!

Edit this page on GitHub Report an issue on GitHub

Not comfortable with GitHub? Send us an email.

Please help us keeping this data updated

This feature was last updated on April 19, 2026.