Styling Dynamic Content from CMS Safely

Styling Dynamic Content from a CMS Safely

Content management systems make it easy for editors to publish formatted content, but the HTML they produce can be unpredictable and unsafe. This article explains practical approaches to keep your design consistent while protecting users and your app.

Why this is hard

CMS-produced HTML may include unexpected tags, inline styles, class names that conflict with your CSS, broken markup, or even malicious scripts. Without controls, editorial freedom can break layout, bypass design tokens, or create XSS vulnerabilities.

Core principles

Sanitize: Strip or transform unsafe markup and attributes before rendering.
Scope: Limit how CMS content affects global styles and vice versa.
Structure: Prefer structured, component-driven content rather than raw HTML when possible.
Policy: Enforce Content Security Policy (CSP) and upload/URL validation.
Test & Monitor: Validate style regressions and security through CI and runtime checks.

Sanitization and whitelisting

Never insert raw HTML into the DOM without sanitizing. Use a well-known library on the server or at render-time to apply a strict allowlist of tags and attributes. Common options:

DOMPurify (browser / Node)
sanitize-html (Node)
Bleach (Python)

Example (DOMPurify):

// Using DOMPurify to remove scripts and unexpected attributes
var clean = DOMPurify.sanitize(dirtyHtml, {
  ALLOWED_TAGS: ['p','br','strong','em','a','ul','ol','li','img','h2','h3','h4','table','thead','tbody','tr','th','td'],
  ALLOWED_ATTR: ['href','src','alt','title','width','height','target','rel']
});
document.querySelector('.cms-content').innerHTML = clean;

Notes:

Disallow inline event handlers (onclick) and style attributes if you want to centralize styling.
Always remove <script> and <style> tags coming from unsanitized editors.

Prefer structured content over raw HTML

Where possible, model content as structured blocks (rich text blocks, portable text, or custom JSON) and map blocks to your components. This eliminates most surprises and makes it easy to render content with consistent design and behavior.

Example pattern:

CMS stores blocks like {type: 'paragraph', text: '...'} or {type: 'image', src: '...'}.
Your renderer maps each type to a safe, styled component.

CSS scoping and isolation

Even sanitized markup can introduce classes and elements that collide with your styles. Use one or more of these options to keep CMS content visually contained:

Wrapper selector: Prefix all CMS-specific styles with a container class (e.g., .cms-content). This is the simplest approach.
CSS resets inside the container: Reset margins, font sizes, and inherit design tokens to reduce surprises.
Shadow DOM or iframe: Full isolation via Shadow DOM or an iframe prevents style leakage entirely. Use this for untrusted or highly variable content, but be mindful of accessibility and sizing.
Render components: If you use structured content, the components control markup and CSS, removing the need to style arbitrary user markup.

Example CSS scoping with a reset and token application:

/* Scope styles to CMS content and normalize basics */
.cms-content { --type-scale-1: 1rem; --type-scale-2: 1.125rem; color: #0f1724; font-family: system-ui, sans-serif; }
.cms-content * { box-sizing: border-box; }
.cms-content h2, .cms-content h3, .cms-content h4 { margin: 1rem 0 0.5rem; }
.cms-content p { margin: 0 0 1rem; font-size: var(--type-scale-1); }
.cms-content img { max-width: 100%; height: auto; display: block; margin: 0.5rem 0; }
.cms-content table { width: 100%; border-collapse: collapse; }
.cms-content table th, .cms-content table td { border: 1px solid #e6eef8; padding: 0.5rem; }

If you need nearly perfect isolation, Shadow DOM example (sanitize first):

// Create a shadow root and inject safe HTML and styles
const host = document.getElementById('cms-host');
const shadow = host.attachShadow({ mode: 'open' });
const styles = `
  :host { font-family: system-ui, sans-serif; color: #111; }
  p { margin: 0 0 1rem; }
`;
shadow.innerHTML = `<style>${styles}</style><div class="cms-inner">${clean}



    Remember: sanitize before inserting into a Shadow DOM or iframe.



  
    Design consistency techniques
    
      Expose design tokens (colors, fonts, spacing) via CSS variables and apply them inside the CMS container so content inherits your theme.
      Define a typographic scale and map headings to specific sizes in the .cms-content stylesheet.
      Provide a small set of utility classes that editors may use (e.g., .pull-quote, .embed-responsive).
        Keep this list short and documented.
      Restrict images to responsive patterns: max-width:100%, height:auto, and optional aspect-ratio helpers.
    
  

  
    Security and policy controls
    Beyond sanitization, enforce app-level policies:
    
      Use Content-Security-Policy headers to prevent inline scripts and untrusted external scripts. Example:
    
    Content-Security-Policy: default-src 'self'; script-src 'none'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self';

    
      Validate and sanitize uploads (images, files) server-side and serve them from a safe origin or a signed URL provider.
      Normalize or rewrite potentially dangerous URLs (javascript:). Only allow safe protocols in links and media (http, https, mailto, tel where appropriate).
      Escape or remove embedded HTML that could be used to exfiltrate data (iframes, forms to external endpoints).
    
  

  
    Testing and maintenance
    Make content styling part of CI and QA:
    
      Write visual regression tests for common content patterns (headings, lists, images, tables, embeds).
      Keep a list of known problematic editor inputs and add them to a test corpus.
      Log and monitor sanitized inputs to understand editor behavior and refine your allowlist and patterns.
    
  

  
    Practical checklist
    
      Sanitize HTML server-side or at render-time using a vetted library.
      Prefer structured blocks over free HTML when you can change the content model.
      Scope CMS styles with a container class or use Shadow DOM/iframe for strict isolation.
      Use CSS variables for theme tokens so CMS content matches your design system.
      Enforce CSP and validate uploads and external URLs.
      Document allowed editor features and provide editor-side helpers/templates so content is predictable.
      Add visual and security tests to CI and monitor in production.
    
  

  
    Recommended libraries & tools
    
      DOMPurify — trusted client/server-side sanitization.
      sanitize-html — Node.js allowlist sanitizer with fine-grained rules.
      Prettier/HTML linting — keep stored HTML normalized.
      Design system tokens (CSS variables) — keep styles consistent.
      Storybook & visual regression tools (Chromatic, Percy) — catch style regressions early.
    
  

  
    Summary
    Styling CMS content safely is a combination of security, CSS discipline, and content modeling. Sanitize inputs, scope and normalize styles, expose your design tokens, and prefer component-driven rendering where possible. This reduces surprises, keeps pages secure, and ensures editorial content matches your brand.

Styling Dynamic Content from CMS Safely

Styling Dynamic Content from a CMS Safely

Why this is hard

Core principles

Sanitization and whitelisting

Prefer structured content over raw HTML

CSS scoping and isolation

Design consistency techniques

Security and policy controls

Testing and maintenance

Practical checklist

Recommended libraries & tools

`Have a project idea?`

`Latest articles`

CSS Isolation Strategies in Component-Based Apps

Migrating from SCSS to Modern Native CSS