HTML Sanitizer

Please note that this article is only aimed at users of a self-hosted shop. For cloud stores, there is no possibility of implementation at this time.

With Shopware version 6.5, an HTML sanitizer has been implemented. This sanitizer improves security, reliability and usability of the editor by removing unsafe HTML code. It also sanitizes styles and attributes for consistent and correct code rendering regardless of platform and browser.

For example, if the tag img is added, it is automatically removed by the editor after a few seconds and an additional notice appears that some of your inputs have been sanitised.


For all further steps a basic understanding of YAML and its syntax is necessary.

Through a workaround or an adjustment of the z-shopware.yaml file, it is possible to add the tag img to the allowed code.

The z-shopware.yaml is located below config/packages/ on the server where Shopware is installed. By default, this file does not exist. A simple copy of the shopware.yaml in the same directory solves this obstacle.

In the copied shopware.yaml (z-shopware.yaml), inside the shopware: key another key called html_sanitizer: is needed. Inside the key all other values and wildcards are added.

In this example, the img tag, as well as the CSS attributes src, alt and style are added to the whitelist:

            -   name: basic
                tags: [ "img" ]
                attributes: [ "src", "alt", "style" ]
                    - key: HTML.Trusted
                      value: true
                    - key: CSS.Trusted
                      value: true

Please pay attention to the YAML syntax and especially to the correct use of spaces

The shop cache must then be cleared for the change to take effect.

Disable HTML Sanitizer

If necessary, it is also possible to completely disable HTML Sanitizer. This is strongly discouraged, as otherwise the following security risks exist, which would affect the administration, but also the storefront.

  • Cross-site scripting (XSS) attacks: HTML sanitizers help prevent XSS attacks, in which malicious scripts are injected into a website's code. Without proper sanitizing, an attacker could inject malicious scripts into the store, potentially compromising the security of user data, stealing sensitive information, or spreading malware.

  • Data integrity and confidentiality: HTML sanitizers help ensure the integrity and confidentiality of data entered by users. Without sanitizing, attackers can exploit vulnerabilities to modify or manipulate user data, leading to potential data breaches, unauthorized access, or tampering with sensitive information.

  • Reputation and customer trust: If a store becomes vulnerable to security risks due to a lack of sanitizing, this can damage the store's reputation and undermine customer trust. News of security breaches, compromised user data, or frequent attacks can discourage customers from making purchases or sharing their personal information, negatively impacting the store's success.

  • Legal and compliance issues: Companies have a legal obligation to protect customer data and implement appropriate security measures. The lack of a proper HTML Sanitizer can lead to legal and compliance issues, including fines, lawsuits, or other legal consequences if a data breach or data security breach occurs.

  • Operational disruption and financial loss: Successful attacks on a store can result in operational disruption, downtime, and financial loss. Addressing the consequences of a security breach, such as investigating the incident, implementing fixes, notifying affected customers, and restoring systems, can be costly and time-consuming.

If you want to deactivate the sanitizer despite the above warnings, you can also do this in the z-shopware.yaml. Just paste the following code:

        enabled: false

Was this article helpful?

Version or newer