HTMLツール

無料 HTMLサニタイザー設定ビルダー

安全なHTMLレンダリングのためのSanitizer APIおよびDOMPurifyの許可リスト設定を生成します。

ツールを読み込み中...

HTMLサニタイザー設定ビルダーとは

An HTML sanitizer removes potentially dangerous HTML tags, attributes, and content from user-submitted strings before rendering them on a page. This prevents XSS (Cross-Site Scripting) attacks where attackers inject malicious scripts through comment fields, rich text editors, or any user-input area. The browser Sanitizer API provides native sanitization; DOMPurify is the most widely used JavaScript library for the same purpose.

クイックアンサー

Build an HTML sanitizer allowlist to prevent XSS when rendering user-submitted HTML. Use content-type presets (comments, blog, richtext) or customize allowed tags and attributes. Output configs for the native Sanitizer API, DOMPurify, or both. Always block script tags, event handlers, and javascript: URLs.

制限事項

No sanitizer is perfect. New attack vectors are discovered regularly. Keep DOMPurify or your sanitization strategy up to date and subscribe to security advisories.
The native Sanitizer API is not supported in Safari as of 2025. For cross-browser support, use DOMPurify or implement a fallback strategy.
Sanitization protects against XSS but not against phishing, content spoofing, or layout breaking. Additional validation and content moderation may be needed for user-submitted content.

使い方

Choose a content type preset based on what kind of HTML you expect users to submit.
Review and customize the allowed tags and attributes for your specific use case.
Select the output format — Sanitizer API, DOMPurify, or both.
Copy the configuration and use it wherever you render user-submitted HTML.

主な用途

Configure an HTML sanitizer for a blog comment section that allows basic formatting (bold, italic, links) but blocks scripts and complex markup.
Build a sanitizer config for a rich text CMS where editors can use headings, lists, tables, and images but not embed scripts or iframes.
Set up a DOMPurify configuration for a static site that renders user-contributed Markdown converted to HTML.

用途

使用例

例

Blog comment sanitization

A blog allows comments with basic formatting. Use the comments preset which allows b, i, a, code, em, strong, and br tags. Scripts, images, and complex markup are stripped. This prevents XSS while keeping comments readable.

例

CMS rich text editing

A headless CMS allows rich text with headings, lists, blockquotes, images, and tables. Use the blog or richtext preset to allow structural HTML while blocking script, iframe, object, and embed tags.

よくあるミス

Allowing script or style tags in the allowlist — these can execute arbitrary code and defeat the purpose of sanitization.
Allowing event handler attributes like onclick or onerror — attackers can inject JavaScript through event handlers even when script tags are blocked.
Assuming sanitization makes HTML safe for all contexts — sanitized HTML can still break layouts, overflow containers, or contain phishing links.

検証

Test the sanitizer config with known XSS payloads (like <img src=x onerror=alert(1)>) to confirm they are stripped.
Use browser DevTools to inspect the rendered HTML and confirm no unexpected tags or attributes survive sanitization.

FAQ

HTMLサニタイザー設定ビルダーのFAQ

Should I use the native Sanitizer API or DOMPurify?

The Sanitizer API is built into the browser and requires no external library, but it is newer and not supported in Safari (as of 2025). DOMPurify is a well-tested, widely used library that works in all browsers. For production sites, use DOMPurify for broad compatibility or use Sanitizer API as a progressive enhancement with a DOMPurify fallback.

What tags and attributes should I always block?

Always block script, style, iframe, object, embed, applet, form, input, and button tags. Always block event handler attributes (onclick, onerror, onload, onmouseover, etc.), javascript: URLs in href/src attributes, and data: URLs that could contain HTML or JavaScript.