# HTML XSS Sanitizer MCP

> HTML XSS Sanitizer: Stops malicious code from entering your database. This MCP takes raw HTML inputs—like user comments or blog content—and strips out dangerous scripts, event handlers, and unsafe tags before saving them. It provides a critical security layer that standard AI models can't handle.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** xss-protection, sanitization, web-security, input-validation, data-integrity, cybersecurity

## Description

When you let an agent process public input, you risk data contamination from Cross-Site Scripting (XSS) attacks. Standard language models don't have the native rendering engine required to test for obfuscated or malicious code payloads. This MCP acts as a necessary security shield. You simply feed it any raw HTML payload, and the tool surgically cleans the content, eliminating dangerous tags like `<script>` and unsafe attributes like `onload`. It enforces a strict whitelist of safe elements, ensuring that only clean, harmless markup makes it into your database. By connecting this through Vinkius, you give your AI client the reliable protection it needs to handle any user-submitted content safely.

## Tools

### sanitizeHtml_html
Pass raw HTML content to strip dangerous scripts and attributes, returning clean markup safe for database storage.

## Prompt Examples

**Prompt:** 
```
Sanitize this HTML input: `<p>Hello</p><script>alert('hack');</script>`
```

**Response:** 
```
✅ **Sanitized HTML:** `<p>Hello</p>`
```

**Prompt:** 
```
Clean this blog post content to ensure no malicious iframes are present.
```

**Response:** 
```
✅ **Cleaned:** Stripped 2 `iframe` tags and 1 `onload` event successfully.
```

**Prompt:** 
```
Check if this user comment contains any XSS vectors before we save it.
```

**Response:** 
```
✅ **Sanitized Payload:** Returned safe string.
```

## Capabilities

### Strip Dangerous Tags
The MCP removes known malicious tags like script blocks and iframes from raw HTML.

### Clean Malicious Attributes
It scrubs unsafe attributes, such as 'onload' or 'onerror', that attackers use to execute code in the browser.

### Enforce Safe Markup
The tool only allows specific, safe HTML tags you define, blocking everything else by default.

### Process Live Payloads
You pass it real-world inputs, such as user comments or forum posts, for immediate sanitization.

## Use Cases

### A user submits a profile bio with embedded scripts
The developer asks their agent to process the raw text. The agent uses `sanitizeHtml_html` and strips out the hidden JavaScript, returning only clean text that can safely be saved to the database.

### A content ingestion pipeline receives external blog posts
The system needs to save a third-party article. Before writing it, the agent runs `sanitizeHtml_html` on the whole body copy, guaranteeing that any embedded iframes or malicious scripts are gone.

### A forum post contains multiple attempts at obfuscated code
The backend receives a user comment full of weird tags. The agent calls `sanitizeHtml_html`, which correctly identifies and removes the encoded vectors, letting you save usable content without risk.

### An agent processes mixed HTML/text data streams
The goal is to extract clean text while preserving benign formatting. The agent uses `sanitizeHtml_html` first to strip the junk and then extracts the pure, safe content for display.

## Benefits

- You stop Cross-Site Scripting (XSS) attacks dead in their tracks. Instead of worrying about obscure event handlers, you trust the output of the `sanitizeHtml_html` tool to clean every payload.
- It moves security checks out of your code and into a specialized service. Your agents don't need complex regex or custom parsers; they just call this MCP function.
- You enforce a strict whitelist approach, meaning only approved HTML tags survive the process. This is much safer than trying to blacklist every possible attack vector.
- The tool handles both dangerous tags like `<script>` and malicious attributes like `onload` simultaneously. It's an all-in-one security layer for rich text input.
- It gives you instant, reliable data integrity. You can run this MCP client-side or server-side to ensure no bad data ever enters your system.

## How It Works

The bottom line is you get database-safe HTML, removing manual checks for every single input source.

1. Send the raw HTML content (e.g., a blog comment) to the MCP.
2. The tool analyzes the payload against known XSS vectors and strips all dangerous elements and attributes.
3. Receive clean, safe HTML that is guaranteed not to execute malicious code in a browser.

## Frequently Asked Questions

**Does HTML XSS Sanitizer handle plain text inputs?**
No, this MCP is designed specifically for cleaning existing HTML payloads. If your input is purely plain text, you don't need to use the `sanitizeHtml_html` tool.

**Is using sanitizeHtml_html fast enough for high-traffic sites?**
Yes. It's built as a dedicated security service designed for speed and reliability, making it suitable for high-volume data ingestion pipelines without performance bottlenecks.

**What if I want to allow *some* HTML tags but block others?**
The tool uses whitelisting logic. While the core function strips dangerous items by default, its underlying mechanisms enforce strict rules that let you define what is safe and what gets stripped.

**Is sanitizeHtml_html effective against modern XSS vectors?**
Yes. It uses enterprise-grade sanitization techniques designed to defeat obfuscated payloads, including Base64 encoding and obscure event handlers that basic filters miss.