HTML-tools

Gratis HTML Sanitizer Config Builder

Bouw Sanitizer API- en DOMPurify-allowlist-configuraties voor veilige HTML-rendering.

Tool laden...

Wat is HTML Sanitizer Config Builder?

An HTML sanitizer removes potentially dangerous HTML tags, attributes, and content from user-submitted strings before rendering them on a page. This prevents XSS (Cross-Site Scripting) attacks where attackers inject malicious scripts through comment fields, rich text editors, or any user-input area. The browser Sanitizer API provides native sanitization; DOMPurify is the most widely used JavaScript library for the same purpose.

Snel antwoord

Build an HTML sanitizer allowlist to prevent XSS when rendering user-submitted HTML. Use content-type presets (comments, blog, richtext) or customize allowed tags and attributes. Output configs for the native Sanitizer API, DOMPurify, or both. Always block script tags, event handlers, and javascript: URLs.

Beperkingen

No sanitizer is perfect. New attack vectors are discovered regularly. Keep DOMPurify or your sanitization strategy up to date and subscribe to security advisories.
The native Sanitizer API is not supported in Safari as of 2025. For cross-browser support, use DOMPurify or implement a fallback strategy.
Sanitization protects against XSS but not against phishing, content spoofing, or layout breaking. Additional validation and content moderation may be needed for user-submitted content.

Zo gebruik je deze tool

Choose a content type preset based on what kind of HTML you expect users to submit.
Review and customize the allowed tags and attributes for your specific use case.
Select the output format — Sanitizer API, DOMPurify, or both.
Copy the configuration and use it wherever you render user-submitted HTML.

Waarvoor je het kunt gebruiken

Configure an HTML sanitizer for a blog comment section that allows basic formatting (bold, italic, links) but blocks scripts and complex markup.
Build a sanitizer config for a rich text CMS where editors can use headings, lists, tables, and images but not embed scripts or iframes.
Set up a DOMPurify configuration for a static site that renders user-contributed Markdown converted to HTML.

Gebruik

Praktische voorbeelden

Voorbeeld

Blog comment sanitization

A blog allows comments with basic formatting. Use the comments preset which allows b, i, a, code, em, strong, and br tags. Scripts, images, and complex markup are stripped. This prevents XSS while keeping comments readable.

Voorbeeld

CMS rich text editing

A headless CMS allows rich text with headings, lists, blockquotes, images, and tables. Use the blog or richtext preset to allow structural HTML while blocking script, iframe, object, and embed tags.

Veelgemaakte fouten

Allowing script or style tags in the allowlist — these can execute arbitrary code and defeat the purpose of sanitization.
Allowing event handler attributes like onclick or onerror — attackers can inject JavaScript through event handlers even when script tags are blocked.
Assuming sanitization makes HTML safe for all contexts — sanitized HTML can still break layouts, overflow containers, or contain phishing links.

Verificatie

Test the sanitizer config with known XSS payloads (like <img src=x onerror=alert(1)>) to confirm they are stripped.
Use browser DevTools to inspect the rendered HTML and confirm no unexpected tags or attributes survive sanitization.

FAQ

Vragen over HTML Sanitizer Config Builder

Should I use the native Sanitizer API or DOMPurify?

The Sanitizer API is built into the browser and requires no external library, but it is newer and not supported in Safari (as of 2025). DOMPurify is a well-tested, widely used library that works in all browsers. For production sites, use DOMPurify for broad compatibility or use Sanitizer API as a progressive enhancement with a DOMPurify fallback.

What tags and attributes should I always block?

Always block script, style, iframe, object, embed, applet, form, input, and button tags. Always block event handler attributes (onclick, onerror, onload, onmouseover, etc.), javascript: URLs in href/src attributes, and data: URLs that could contain HTML or JavaScript.

Gerelateerde tools

Meer html-tools

Html

ARIA Live Region Generator

Genereer toegankelijke ARIA-live-regio's voor schermlezeraankondigingen.

Open tool

Html

CSP Hash Generator

Genereer CSP-hashwaarden voor inline scripts en styles. Hash exacte code met SHA-256, SHA-384 of SHA-512.

Open tool

Html

Customizable Select Generator

Generate CSS for customizable select elements using appearance: base-select, picker icons, checkmarks, and open/closed state styling.

Open tool

Probeer ook

Seo

AI-crawler robots.txt Builder

Bouw robots.txt-regels voor AI-crawlers met open, selectieve of strikte presets.

Open tool

Seo

Hreflang Sitemap Builder

Bouw XML-sitemap-items met hreflang-alternates voor meertalige pagina's.

Open tool

Seo

Hreflang-taggenerator

Genereer schone hreflang-tags voor meertalige statische websites.

Open tool