HTML SAP SE Embeds standard HTML in an SAPUI5 control tree. Security Hint: By default, the HTML content (property 'content') is not sanitized and therefore open to XSS attacks. Applications that want to show user defined input in an HTML control, should either sanitize the content on their own or activate automatic sanitizing through the {@link #setSanitizeContent sanitizeContent} property. Although this control inherits the <code>tooltip</code> aggregation/property and the <code>hasStyleClass</code>, <code>addStyleClass</code>, <code>removeStyleClass</code> and <code>toggleStyleClass</code> methods from its base class, it doesn't support them. Instead, the defined HTML content can contain a tooltip (title attribute) or custom CSS classes. For further hints about usage restrictions for this control, see also the documentation of the <code>content</code> property. sap.ui.core/Control HTML content to be displayed, defined as a string. The content is converted to DOM nodes with a call to <code>new jQuery(content)</code>, so any restrictions for the jQuery constructor apply to the content of the HTML control as well. Some of these restrictions (there might be others!) are: <ul> <li>the content must be enclosed in tags, pure text is not supported. </li> <li>if the content contains script tags, they will be executed but they will not appear in the resulting DOM tree. When the contained code tries to find the corresponding script tag, it will fail.</li> </ul> Please consider to consult the jQuery documentation as well. The HTML control currently doesn't prevent the usage of multiple root nodes in its DOM content (e.g. <code>setContent("&lt;div/>&lt;div/>")</code>), but this is not a guaranteed feature. The accepted content might be restricted to single root nodes in future versions. To notify applications about this fact, a warning is written in the log when multiple root nodes are used. When changing the content dynamically, ensure that the ID of the root node remains the same as the HTML control's ID. Otherwise it cannot be guaranteed that certain lifecycle events take place. Whether existing DOM content is preferred over the given content string. There are two scenarios where this flag is relevant (when set to true): <ul> <li>for the initial rendering: when an HTML control is added to a UIArea for the first time and if the root node of that UIArea contained DOM content with the same id as the HTML control, then that content will be used for rendering instead of any specified string content</li> <li>any follow-up rendering: when an HTML control is rendered for the second or any later time and the preferDOM flag is set, then the DOM from the first rendering is preserved and not replaced by the string content</li> </ul> As preserving the existing DOM is the most common use case of the HTML control, the default value is true. Whether to run the HTML sanitizer once the content (HTML markup) is applied or not. To configure the set of allowed URLs, you can use the {@link jQuery.sap.addUrlWhitelist whitelist API}. Specifies whether the control is visible. Invisible controls are not rendered. Fired after the HTML control has been rendered. Allows to manipulate the resulting DOM. When the control doesn't have string content and no preserved DOM existed for this control, then this event will fire, but there won't be a DOM node for this control. Whether the current DOM of the control has been preserved (true) or not (e.g. rendered from content property or it is an empty HTML control).