Contao Summit 2026 in Leipzig 15th and 16th October

sanitize_html - Twig Filter

Info
This feature is available in Contao 5.1 and later.

Contao overrides Symfony’s default sanitize_html filter in order to also sanitize Contao-specific special characters like insert tags.

Default sanitizer

The default sanitizer is configured in framework.html_sanitizer.sanitizer.default and allows all “safe” elements and attributes, as defined by the W3C Standard Proposal. You can find more information about it in the Symfony documentation.

{{ '<div title=test style=color:red onclick=alert(1)><script>alert(2)</script>{{date::Y}}'|sanitize_html }}
{# Output: #} <div title="test">&#123;&#123;date::Y&#125;&#125;</div>
Info

Use the default sanitizer for HTML code that comes from external sources.

Contao sanitizer

Info
This feature is available in Contao 5.7 and later.

If you use the filter with the 'contao' sanitizer the HTML code is sanitized according to the rules configured in the security section in the Contao system settings. Insert tags do not get encoded and unclosed tags do not get automatically closed in this case.

{{ '<div title=test style=color:red onclick=alert(1)><script>alert(2)</script>{{date::Y}}'|sanitize_html('contao') }}
{# Output: #} <div title="test" style="color:red">&#60;script&#62;alert(2)&#60;/script&#62;{{date::Y}}
Info

Use the contao sanitizer for HTML code that comes from the Contao backend, e.g. from a tinyMCE editor.