What is HTML Sanitizer Config Builder?
An HTML sanitizer removes potentially dangerous HTML tags, attributes, and content from user-submitted strings before rendering them on a page. This prevents XSS (Cross-Site Scripting) attacks where attackers inject malicious scripts through comment fields, rich text editors, or any user-input area. The browser Sanitizer API provides native sanitization; DOMPurify is the most widely used JavaScript library for the same purpose.
quickAnswer
Build an HTML sanitizer allowlist to prevent XSS when rendering user-submitted HTML. Use content-type presets (comments, blog, richtext) or customize allowed tags and attributes. Output configs for the native Sanitizer API, DOMPurify, or both. Always block script tags, event handlers, and javascript: URLs.
limitations
- No sanitizer is perfect. New attack vectors are discovered regularly. Keep DOMPurify or your sanitization strategy up to date and subscribe to security advisories.
- The native Sanitizer API is not supported in Safari as of 2025. For cross-browser support, use DOMPurify or implement a fallback strategy.
- Sanitization protects against XSS but not against phishing, content spoofing, or layout breaking. Additional validation and content moderation may be needed for user-submitted content.
How to use this tool
- Choose a content type preset based on what kind of HTML you expect users to submit.
- Review and customize the allowed tags and attributes for your specific use case.
- Select the output format — Sanitizer API, DOMPurify, or both.
- Copy the configuration and use it wherever you render user-submitted HTML.
What you can use it for
- Configure an HTML sanitizer for a blog comment section that allows basic formatting (bold, italic, links) but blocks scripts and complex markup.
- Build a sanitizer config for a rich text CMS where editors can use headings, lists, tables, and images but not embed scripts or iframes.
- Set up a DOMPurify configuration for a static site that renders user-contributed Markdown converted to HTML.