Outils HTML

Gratuit Générateur de config Sanitizer HTML

Créez des configurations d'allowlist pour Sanitizer API et DOMPurify pour un rendu HTML sécurisé.

Chargement de l'outil...

Qu'est-ce que Générateur de config Sanitizer HTML ?

An HTML sanitizer removes potentially dangerous HTML tags, attributes, and content from user-submitted strings before rendering them on a page. This prevents XSS (Cross-Site Scripting) attacks where attackers inject malicious scripts through comment fields, rich text editors, or any user-input area. The browser Sanitizer API provides native sanitization; DOMPurify is the most widely used JavaScript library for the same purpose.

Réponse rapide

Build an HTML sanitizer allowlist to prevent XSS when rendering user-submitted HTML. Use content-type presets (comments, blog, richtext) or customize allowed tags and attributes. Output configs for the native Sanitizer API, DOMPurify, or both. Always block script tags, event handlers, and javascript: URLs.

Limites

No sanitizer is perfect. New attack vectors are discovered regularly. Keep DOMPurify or your sanitization strategy up to date and subscribe to security advisories.
The native Sanitizer API is not supported in Safari as of 2025. For cross-browser support, use DOMPurify or implement a fallback strategy.
Sanitization protects against XSS but not against phishing, content spoofing, or layout breaking. Additional validation and content moderation may be needed for user-submitted content.

Comment utiliser cet outil

Choose a content type preset based on what kind of HTML you expect users to submit.
Review and customize the allowed tags and attributes for your specific use case.
Select the output format — Sanitizer API, DOMPurify, or both.
Copy the configuration and use it wherever you render user-submitted HTML.

A quoi il sert

Configure an HTML sanitizer for a blog comment section that allows basic formatting (bold, italic, links) but blocks scripts and complex markup.
Build a sanitizer config for a rich text CMS where editors can use headings, lists, tables, and images but not embed scripts or iframes.
Set up a DOMPurify configuration for a static site that renders user-contributed Markdown converted to HTML.

Cas d'usage

Exemples concrets

Exemple

Blog comment sanitization

A blog allows comments with basic formatting. Use the comments preset which allows b, i, a, code, em, strong, and br tags. Scripts, images, and complex markup are stripped. This prevents XSS while keeping comments readable.

Exemple

CMS rich text editing

A headless CMS allows rich text with headings, lists, blockquotes, images, and tables. Use the blog or richtext preset to allow structural HTML while blocking script, iframe, object, and embed tags.

Erreurs frequentes

Allowing script or style tags in the allowlist — these can execute arbitrary code and defeat the purpose of sanitization.
Allowing event handler attributes like onclick or onerror — attackers can inject JavaScript through event handlers even when script tags are blocked.
Assuming sanitization makes HTML safe for all contexts — sanitized HTML can still break layouts, overflow containers, or contain phishing links.

Vérification

Test the sanitizer config with known XSS payloads (like <img src=x onerror=alert(1)>) to confirm they are stripped.
Use browser DevTools to inspect the rendered HTML and confirm no unexpected tags or attributes survive sanitization.

FAQ

Questions sur Générateur de config Sanitizer HTML

Should I use the native Sanitizer API or DOMPurify?

The Sanitizer API is built into the browser and requires no external library, but it is newer and not supported in Safari (as of 2025). DOMPurify is a well-tested, widely used library that works in all browsers. For production sites, use DOMPurify for broad compatibility or use Sanitizer API as a progressive enhancement with a DOMPurify fallback.

What tags and attributes should I always block?

Always block script, style, iframe, object, embed, applet, form, input, and button tags. Always block event handler attributes (onclick, onerror, onload, onmouseover, etc.), javascript: URLs in href/src attributes, and data: URLs that could contain HTML or JavaScript.

Outils lies

Autres outils outils html

Html

Générateur de régions ARIA live

Créez des régions ARIA live accessibles pour les annonces des lecteurs d'écran.

Ouvrir l'outil

Html

Générateur de hash CSP

Générez des valeurs de hash CSP pour les scripts et styles inline. Hachez le code exact avec SHA-256, SHA-384 ou SHA-512.

Ouvrir l'outil

Html

Customizable Select Generator

Generate CSS for customizable select elements using appearance: base-select, picker icons, checkmarks, and open/closed state styling.

Ouvrir l'outil

A essayer aussi

Seo

Générateur robots.txt pour crawlers IA

Créez des règles robots.txt pour les crawlers IA avec des modèles ouverts, sélectifs ou stricts.

Ouvrir l'outil

Seo

Générateur de sitemap hreflang

Créez des entrées de sitemap XML avec des alternatives hreflang pour les pages multilingues.

Ouvrir l'outil

Seo

Generateur de balises hreflang

Générez des balises hreflang propres pour sites statiques multilingües.

Ouvrir l'outil