2023-03-10 08:01:21 +00:00
---
2023-10-18 10:59:43 +00:00
title: useHeadSafe
2023-03-10 08:01:21 +00:00
description: The recommended way to provide head data with user input.
2023-10-18 10:59:43 +00:00
links:
- label: Source
icon: i-simple-icons-github
to: https://github.com/unjs/unhead/blob/main/packages/unhead/src/composables/useHeadSafe.ts
size: xs
2023-03-10 08:01:21 +00:00
---
2023-03-14 14:24:41 +00:00
The `useHeadSafe` composable is a wrapper around the [`useHead` ](/docs/api/composables/use-head ) composable that restricts the input to only allow safe values.
2023-03-10 08:01:21 +00:00
2023-03-14 14:24:41 +00:00
## Usage
2023-07-07 16:24:09 +00:00
You can pass all the same values as [`useHead` ](/docs/api/composables/use-head )
2023-04-04 13:23:13 +00:00
2023-03-14 14:24:41 +00:00
```ts
useHeadSafe({
script: [
{ id: 'xss-script', innerHTML: 'alert("xss")' }
],
meta: [
{ 'http-equiv': 'refresh', content: '0;javascript:alert(1)' }
]
})
// Will safely generate
// < script id = "xss-script" > < / script >
// < meta content = "0;javascript:alert(1)" >
```
2023-10-18 10:59:43 +00:00
::read-more{to="https://unhead.unjs.io/usage/composables/use-head-safe" target="_blank"}
Read more on `unhead` documentation.
::
2023-03-10 08:01:21 +00:00
## Type
```ts
useHeadSafe(input: MaybeComputedRef< HeadSafe > ): void
```
The whitelist of safe values is:
```ts
export default {
htmlAttrs: ['id', 'class', 'lang', 'dir'],
bodyAttrs: ['id', 'class'],
meta: ['id', 'name', 'property', 'charset', 'content'],
noscript: ['id', 'textContent'],
script: ['id', 'type', 'textContent'],
link: ['id', 'color', 'crossorigin', 'fetchpriority', 'href', 'hreflang', 'imagesrcset', 'imagesizes', 'integrity', 'media', 'referrerpolicy', 'rel', 'sizes', 'type'],
}
```
See [@unhead/schema ](https://github.com/unjs/unhead/blob/main/packages/schema/src/safeSchema.ts ) for more detailed types.
