# HTML Sanitizer API
> Make untrusted HTML safe to display. Send any HTML — a comment, a rich-text submission, a snippet from an email or a scraped page — and get back a clean, XSS-free version: <script> tags, inline event handlers (onclick, onerror), javascript: URLs, <iframe>, <style> and anything not on the allowlist are removed. Override the allowed tags and attributes to fit your needs, or drop links entirely. A strip endpoint returns plain text with all markup removed. Pure local sanitization — no key, no third-party service, instant. Live. 3 endpoints. Built for user-generated content, comment systems, rich-text editors, email rendering and any place untrusted HTML reaches a browser. Distinct from a Markdown renderer or an HTML data extractor.

## Authentication
All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys.

```bash
curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/htmlsanitize-api/..."
```

## Pricing
- **Free** (Free) — 1,240 calls/Mo, 2 req/s
- **Starter** ($4/Mo) — 15,000 calls/Mo, 8 req/s
- **Pro** ($24/Mo) — 156,000 calls/Mo, 20 req/s
- **Mega** ($60/Mo) — 800,000 calls/Mo, 50 req/s

## Endpoints

### Sanitize

#### `GET /v1/sanitize` — Sanitize untrusted HTML

**Parameters:**
- `html` (query, required, string) — HTML to sanitize Example: `<p>Hi <b>x</b><script>alert(1)</script><a href="javascript:e()">a</a></p>`
- `allowed_tags` (query, optional, string) — Comma-separated allowlist (override default)
- `allowed_attributes` (query, optional, string) — Comma-separated attributes allowed on any tag
- `allow_links` (query, optional, string) — false to drop anchor tags

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/htmlsanitize-api/v1/sanitize?html=%3Cp%3EHi+%3Cb%3Ex%3C%2Fb%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3Ca+href%3D%22javascript%3Ae%28%29%22%3Ea%3C%2Fa%3E%3C%2Fp%3E"
```

**Response:**
```json
{
    "data": {
        "modified": true,
        "sanitized": "<p>Hi <b>x</b><a>a</a></p>",
        "original_length": 73,
        "sanitized_length": 26
    },
    "meta": {
        "timestamp": "2026-06-02T16:51:54.105Z",
        "request_id": "2d2348cf-c246-4ee0-9375-8168468fea7c"
    },
    "status": "ok",
    "message": "Sanitize HTML",
    "success": true
}
```

#### `GET /v1/strip` — Strip all HTML to plain text

**Parameters:**
- `html` (query, required, string) — HTML to strip Example: `<p>Hi <b>there</b></p>`

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/htmlsanitize-api/v1/strip?html=%3Cp%3EHi+%3Cb%3Ethere%3C%2Fb%3E%3C%2Fp%3E"
```

**Response:**
```json
{
    "data": {
        "text": "Hi there",
        "length": 8
    },
    "meta": {
        "timestamp": "2026-06-02T16:51:54.208Z",
        "request_id": "23111dea-d94e-44b7-9c1d-9d6393910d46"
    },
    "status": "ok",
    "message": "Strip HTML to text",
    "success": true
}
```

### Meta

#### `GET /v1/meta` — Spec

**Example:**
```bash
curl -H "x-oanor-key: $KEY" \
  "https://api.oanor.com/htmlsanitize-api/v1/meta"
```

**Response:**
```json
{
    "data": {
        "auth": "none upstream; this gateway requires x-api-key",
        "name": "HTML Sanitizer API",
        "note": "Make untrusted HTML safe. /v1/sanitize?html=... removes scripts, event handlers, javascript: URLs, iframes/styles and any tags/attributes not on the allowlist (override with allowed_tags=p,a,b and allowed_attributes=href,src; allow_links=false to drop anchors). /v1/strip?html=... returns plain text. For comments, user-generated content, rich-text editors and email. Instant, nothing stored.",
        "source": "Local sanitization (sanitize-html) — no key, no upstream",
        "endpoints": 3
    },
    "meta": {
        "timestamp": "2026-06-02T16:51:54.305Z",
        "request_id": "e56639ae-fe72-49c5-a443-ed25a2428363"
    },
    "status": "ok",
    "message": "Meta",
    "success": true
}
```


---
Marketplace page: https://www.oanor.com/api/htmlsanitize-api
OpenAPI spec: https://www.oanor.com/api/htmlsanitize-api/openapi.json