HTML-Tools

Kostenlose HTML Sanitizer Config Builder

Erstelle Sanitizer-API- und DOMPurify-Allowlist-Konfigurationen für sicheres HTML-Rendering.

Tool wird geladen...

Was ist HTML Sanitizer Config Builder?

An HTML sanitizer removes potentially dangerous HTML tags, attributes, and content from user-submitted strings before rendering them on a page. This prevents XSS (Cross-Site Scripting) attacks where attackers inject malicious scripts through comment fields, rich text editors, or any user-input area. The browser Sanitizer API provides native sanitization; DOMPurify is the most widely used JavaScript library for the same purpose.

Kurze Antwort

Build an HTML sanitizer allowlist to prevent XSS when rendering user-submitted HTML. Use content-type presets (comments, blog, richtext) or customize allowed tags and attributes. Output configs for the native Sanitizer API, DOMPurify, or both. Always block script tags, event handlers, and javascript: URLs.

Einschränkungen

No sanitizer is perfect. New attack vectors are discovered regularly. Keep DOMPurify or your sanitization strategy up to date and subscribe to security advisories.
The native Sanitizer API is not supported in Safari as of 2025. For cross-browser support, use DOMPurify or implement a fallback strategy.
Sanitization protects against XSS but not against phishing, content spoofing, or layout breaking. Additional validation and content moderation may be needed for user-submitted content.

So nutzt du dieses Tool

Choose a content type preset based on what kind of HTML you expect users to submit.
Review and customize the allowed tags and attributes for your specific use case.
Select the output format — Sanitizer API, DOMPurify, or both.
Copy the configuration and use it wherever you render user-submitted HTML.

Wofür du es nutzen kannst

Configure an HTML sanitizer for a blog comment section that allows basic formatting (bold, italic, links) but blocks scripts and complex markup.
Build a sanitizer config for a rich text CMS where editors can use headings, lists, tables, and images but not embed scripts or iframes.
Set up a DOMPurify configuration for a static site that renders user-contributed Markdown converted to HTML.

Anwendungsfalle

Praxisbeispiele

Beispiel

Blog comment sanitization

A blog allows comments with basic formatting. Use the comments preset which allows b, i, a, code, em, strong, and br tags. Scripts, images, and complex markup are stripped. This prevents XSS while keeping comments readable.

Beispiel

CMS rich text editing

A headless CMS allows rich text with headings, lists, blockquotes, images, and tables. Use the blog or richtext preset to allow structural HTML while blocking script, iframe, object, and embed tags.

Haufige Fehler

Allowing script or style tags in the allowlist — these can execute arbitrary code and defeat the purpose of sanitization.
Allowing event handler attributes like onclick or onerror — attackers can inject JavaScript through event handlers even when script tags are blocked.
Assuming sanitization makes HTML safe for all contexts — sanitized HTML can still break layouts, overflow containers, or contain phishing links.

Überprüfung

Test the sanitizer config with known XSS payloads (like <img src=x onerror=alert(1)>) to confirm they are stripped.
Use browser DevTools to inspect the rendered HTML and confirm no unexpected tags or attributes survive sanitization.

FAQ

Fragen zu HTML Sanitizer Config Builder

Should I use the native Sanitizer API or DOMPurify?

The Sanitizer API is built into the browser and requires no external library, but it is newer and not supported in Safari (as of 2025). DOMPurify is a well-tested, widely used library that works in all browsers. For production sites, use DOMPurify for broad compatibility or use Sanitizer API as a progressive enhancement with a DOMPurify fallback.

What tags and attributes should I always block?

Always block script, style, iframe, object, embed, applet, form, input, and button tags. Always block event handler attributes (onclick, onerror, onload, onmouseover, etc.), javascript: URLs in href/src attributes, and data: URLs that could contain HTML or JavaScript.

Verwandte Tools

Weitere html-tools

Html

ARIA Live Region Generator

Erstelle barrierefreie ARIA-Live-Regionen für Screenreader-Ankündigungen.

Tool öffnen

Html

CSP Hash Generator

Erstelle CSP-Hash-Werte für Inline-Skripte und -Styles. Hashe exakten Code mit SHA-256, SHA-384 oder SHA-512.

Tool öffnen

Html

Customizable Select Generator

Generate CSS for customizable select elements using appearance: base-select, picker icons, checkmarks, and open/closed state styling.

Tool öffnen

Auch ausprobieren

Seo

AI-Crawler robots.txt Builder

Erstelle robots.txt-Regeln für KI-Crawler mit offenen, selektiven oder strikten Vorlagen.

Tool öffnen

Seo

Hreflang Sitemap Builder

Erstelle XML-Sitemap-Einträge mit hreflang-Alternates für mehrsprachige Seiten.

Tool öffnen

Seo

Hreflang-Tag-Generator

Erzeuge saubere hreflang-Tags für mehrsprachige statische Websites.

Tool öffnen