/**
 * Shared sanitization utilities.
 * Imported by RayEditor core and all feature modules.
 */
/**
 * Escapes HTML special characters so a string can be safely interpolated
 * into an innerHTML template literal without being parsed as markup.
 */
export declare function escapeHtml(str: string): string;
/**
 * Returns a normalised, safe URL string, or '' if the scheme is dangerous.
 *
 * - Strips whitespace and control chars before scheme check (defeats
 *   obfuscation like "j a v a s c r i p t :")
 * - For absolute URLs: returns parsed.href from the URL constructor so
 *   callers assign the constructor's output, not raw user input
 * - For relative URLs: safe after the scheme check, returned as-is
 * - Blocks javascript:, vbscript:, and data: schemes
 */
export declare function sanitizeUrl(url: string): string;
/**
 * Sanitizes an HTML string and writes it directly into `target` using DOM
 * node adoption — no innerHTML assignment of user-derived text.
 *
 * Flow:
 *  1. DOMParser parses in a sandboxed, inert document (scripts never run).
 *  2. Walk every element, removing forbidden tags and dangerous attributes.
 *  3. Adopt each cleaned node into the live document via document.adoptNode()
 *     and append to `target` — tainted text never flows through innerHTML.
 *
 * Forbidden tags : script, iframe, object, embed, form controls, base, link
 * Stripped attrs : on* event handlers, javascript/vbscript/data: URIs
 */
export declare function applySanitizedHTML(target: HTMLElement, html: string): void;
//# sourceMappingURL=sanitize.d.ts.map