Do I need to sanitize HTML exported from Lexical?

[osc245]

I'm currently working on creating a Lexical text editor that allows users to input notes. When the user clicks save I export the editor's content to HTML using $generateHtmlFromNode and save it to the database. I then use that to reload the editor's content if they return to that page or render the raw HTML in React using dangerouslySetInnerHTML if they are in readonly mode.

My question is, do I need to sanitize the HTML I get from Lexical (or do any other form of sanitization)? I couldn't find any mention about it in the docs. I did find a sanitize node function in the playground code but it didn't appear to doing any of the normal HTML sanitization stuff like removing scripts etc

const $sanitizeNode = (node: LexicalNode): void => {
  if ($isMarkNode(node)) {
    $unwrapMarkNode(node);
    return;
  }
  if ($isElementNode(node)) {
    const children = node.getChildren();
    for (const child of children) {
      $sanitizeNode(child);
    }
  }
};

I'm assuming the answer to my question is no but I just want to double check first. Thanks in advance

[etrepum]

The short answer is no, at least not with any of the nodes that ship with lexical. In theory you could implement custom nodes that have this sort of security issue.

[osc245]

Awesome cheers