# `PhoenixKit.Utils.HtmlSanitizer`
[🔗](https://github.com/BeamLabEU/phoenix_kit/blob/v1.7.165/lib/phoenix_kit/utils/html_sanitizer.ex#L1)

HTML sanitization for rich text content in entities.

This module provides basic HTML sanitization to prevent XSS attacks
while allowing safe HTML tags commonly used in rich text editors.

## Allowed Tags

The following tags are allowed:
- Block elements: p, div, br, hr, h1-h6, blockquote, pre, code
- Inline elements: span, strong, b, em, i, u, s, a, sub, sup, mark
- Lists: ul, ol, li
- Tables: table, thead, tbody, tr, th, td
- Media placeholders: img (with src validation)

## Removed Content

The following are stripped completely:
- script tags and content
- style tags and content
- event handlers (onclick, onerror, etc.)
- javascript: and data: URLs
- iframe, object, embed tags

## Usage

    iex> PhoenixKit.Utils.HtmlSanitizer.sanitize("<p>Hello</p><script>alert('xss')</script>")
    "<p>Hello</p>"

    iex> PhoenixKit.Utils.HtmlSanitizer.sanitize("<a href="javascript:alert('xss')">Click</a>")
    "<a>Click</a>"

# `sanitize`

Sanitizes HTML content by removing dangerous elements and attributes.

Returns sanitized HTML string that is safe to render.

## Parameters

- `html` - The HTML string to sanitize

## Examples

    iex> PhoenixKit.Utils.HtmlSanitizer.sanitize("<p onclick="alert('xss')">Hello</p>")
    "<p>Hello</p>"

# `sanitize_rich_text_fields`

Sanitizes all rich_text fields in an entity data map.

Takes entity field definitions and data, returns data with all
rich_text fields sanitized.

## Parameters

- `fields_definition` - List of field definition maps
- `data` - Map of field key => value

## Examples

    iex> fields = [%{"type" => "rich_text", "key" => "content"}]
    iex> data = %{"content" => "<script>alert('xss')</script><p>Hello</p>"}
    iex> PhoenixKit.Utils.HtmlSanitizer.sanitize_rich_text_fields(fields, data)
    %{"content" => "<p>Hello</p>"}

---

*Consult [api-reference.md](api-reference.md) for complete listing*