@lexical/html

As the official HTML utilities package for Lexical, @lexical/html provides the core functions you need for converting between Lexical's editor state and HTML strings. The primary APIs ($generateHtmlFromNodes and $generateNodesFromDOM) are straightforward when working with standard content, but you'll quickly encounter limitations with custom nodes and complex formatting.

The documentation assumes familiarity with Lexical's internal node system, which creates a steep learning curve. Type definitions are present but generic, offering limited IDE guidance on what node types are supported or how custom transformers should be structured. Error messages during serialization failures are often cryptic, giving little context about which node caused the issue or why.

The package works reliably for basic rich text scenarios, but expect to write custom serialization logic for anything beyond paragraphs, headings, and lists. Version updates sometimes introduce breaking changes in HTML output format without clear migration guides, making it challenging to maintain consistent serialization across versions.

The @lexical/html package provides bidirectional conversion between Lexical editor state and HTML strings. In practice, it does its core job well - serializing editor content to HTML and parsing HTML back into editor nodes. The API is straightforward with $generateHtmlFromNodes() and $generateNodesFromDOM() functions that integrate cleanly with Lexical's architecture.

From a security perspective, this package requires careful attention. The HTML generation itself doesn't sanitize output by default - it trusts your editor state is already safe. More critically, when parsing external HTML via $generateNodesFromDOM(), you're responsible for sanitizing input first. The package doesn't include DOMPurify or similar protections, meaning XSS vulnerabilities are possible if you parse untrusted HTML without pre-sanitization. Error handling is minimal; malformed HTML may produce unexpected node structures rather than clear validation errors.

The library follows Lexical's patterns but lacks security guardrails. You'll need to implement your own sanitization layer, validate HTML sources, and carefully test edge cases. Documentation mentions sanitization responsibility but doesn't provide robust examples of secure integration patterns.

Using @lexical/html daily for converting Lexical editor state to HTML and vice versa reveals a mixed picture. The API is straightforward with $generateHtmlFromNodes() and $generateNodesFromDOM(), but the security model demands careful attention. The package doesn't sanitize HTML by default—you're responsible for preventing XSS when importing user-generated HTML. This secure-by-default gap is concerning for teams without strong security practices.

Error handling is minimal. Invalid HTML parsing often fails silently or produces unexpected node trees rather than throwing actionable exceptions. Debugging malformed conversions requires deep knowledge of Lexical's internal node structure. The TypeScript types help catch obvious mistakes, but there's limited guidance on edge cases like nested structures or custom nodes.

Dependency-wise, it's tightly coupled to the core Lexical package, which means you inherit Meta's update cadence and breaking changes. The MIT license is permissive, but you're essentially locked into the Lexical ecosystem. TLS/crypto isn't relevant here, but input validation patterns are notably absent—you must implement DOMPurify or similar yourself.