Security & sanitization

VSN.js does not sanitize HTML. Any HTML inserted with vsn-html or vsn-get is treated as raw.

Default behavior

vsn-html inserts raw HTML.
vsn-get inserts raw HTML and parses text/vsn behavior scripts in the response.

Server-side sanitization

If content can include user input, sanitize on the server before it reaches VSN. SSR pipelines are the right place to do this.

Optional sanitize-html plugin

If you want client-side sanitization and !trusted, use the sanitize-html plugin.

CSP guidance

Avoid unsafe-inline where possible. Use script tags with type="text/vsn" instead of inline JS.

Safe patterns

Render HTML server-side and sanitize any user-provided content there.
Use vsn-get for controlled fragments you trust.

Previous Performance & Caching Next Extending