Top Related Projects
Cleans HTML to avoid XSS attacks
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Quick Overview
HTML Purifier is a standards-compliant HTML filter library written in PHP. It removes malicious code (such as cross-site scripting) from user-submitted HTML, ensuring that the output is safe to display on a web page.
Pros
- Comprehensive Security: HTML Purifier is designed to thoroughly sanitize HTML input, protecting against a wide range of security vulnerabilities, including cross-site scripting (XSS), SQL injection, and more.
- Flexible Configuration: The library provides a highly customizable configuration system, allowing developers to tailor the sanitization process to their specific needs.
- Standards Compliance: HTML Purifier adheres to web standards, ensuring that the output is compatible with modern browsers and web technologies.
- Active Development and Community: The project is actively maintained, with regular updates and a supportive community of contributors.
Cons
- Performance Overhead: Depending on the complexity of the input and the level of sanitization required, HTML Purifier may introduce some performance overhead, which could be a concern for high-traffic websites.
- Complexity: The library's comprehensive feature set and configurability can make it more complex to set up and integrate into a project, especially for developers new to the library.
- Dependency on PHP: As a PHP-based library, HTML Purifier is limited to projects that are built using the PHP programming language.
- Potential Compatibility Issues: While the library aims to be standards-compliant, there may be instances where the sanitized output does not perfectly match the original input, which could cause compatibility issues with certain web applications.
Code Examples
Here are a few examples of how to use HTML Purifier in your PHP code:
- Basic HTML Sanitization:
require_once 'vendor/autoload.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$dirtyHTML = '<script>alert("XSS attack!");</script><p>This is some safe HTML.</p>';
$cleanHTML = $purifier->purify($dirtyHTML);
echo $cleanHTML;
- Customizing the Purifier Configuration:
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'p,a[href],img[src]');
$config->set('HTML.MaxImgLength', '500');
$purifier = new HTMLPurifier($config);
$cleanHTML = $purifier->purify($dirtyHTML);
- Caching for Performance:
$config = HTMLPurifier_Config::createDefault();
$config->set('Cache.SerializerPath', '/path/to/cache/directory');
$purifier = new HTMLPurifier($config);
$cleanHTML = $purifier->purify($dirtyHTML);
- Handling User-Uploaded Files:
$config = HTMLPurifier_Config::createDefault();
$config->set('URI.AllowedSchemes', array(
'http' => true,
'https' => true,
'mailto' => true,
'ftp' => true,
'urn' => true,
));
$purifier = new HTMLPurifier($config);
$cleanHTML = $purifier->purify(file_get_contents('/path/to/uploaded/file.html'));
Getting Started
To get started with HTML Purifier, follow these steps:
- Install the library using Composer:
composer require ezyang/htmlpurifier
- Require the Composer autoloader in your PHP script:
require_once 'vendor/autoload.php';
- Create a new
HTMLPurifierinstance with the default configuration:
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
- Use the
purify()method to sanitize your HTML input:
$dirtyHTML = '<script>alert("XSS attack!");</script><p>This is some safe HTML.</p>';
$cleanHTML = $purifier->purify($dirtyHTML);
echo $cleanHTML;
Competitor Comparisons
Cleans HTML to avoid XSS attacks
Pros of HtmlSanitizer
- Written in C#, making it more suitable for .NET projects
- Actively maintained with recent updates
- Lightweight and easy to integrate
Cons of HtmlSanitizer
- Less comprehensive documentation compared to HTMLPurifier
- Fewer configuration options and customization features
- Smaller community and ecosystem
Code Comparison
HTMLPurifier (PHP):
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
HtmlSanitizer (C#):
var sanitizer = new HtmlSanitizer();
var clean_html = sanitizer.Sanitize(dirty_html);
Both libraries aim to sanitize HTML input, but they differ in their implementation languages and ecosystems. HTMLPurifier is a more established and feature-rich solution for PHP projects, while HtmlSanitizer offers a simpler approach for .NET applications.
HTMLPurifier provides extensive configuration options and a robust set of features, making it suitable for complex sanitization requirements. It has a larger community and more comprehensive documentation.
HtmlSanitizer, on the other hand, is more lightweight and easier to integrate into .NET projects. It's actively maintained but offers fewer customization options compared to HTMLPurifier.
The choice between these libraries largely depends on the project's programming language, specific requirements, and the level of customization needed for HTML sanitization.
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Pros of DOMPurify
- Lightweight and fast, with a smaller footprint than HTMLPurifier
- Designed specifically for client-side sanitization in modern browsers
- Actively maintained with frequent updates and security patches
Cons of DOMPurify
- Limited configuration options compared to HTMLPurifier's extensive customization
- Primarily focused on XSS protection, while HTMLPurifier offers broader HTML cleaning capabilities
- Requires a DOM environment, making it less suitable for server-side usage
Code Comparison
HTMLPurifier (PHP):
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
DOMPurify (JavaScript):
var clean = DOMPurify.sanitize(dirty);
Both libraries aim to sanitize HTML input, but DOMPurify's API is simpler and more concise. HTMLPurifier offers more configuration options out of the box, while DOMPurify focuses on providing a straightforward, lightweight solution for XSS protection in modern web applications.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
HTML Purifier 
HTML Purifier is an HTML filtering solution that uses a unique combination of robust whitelists and aggressive parsing to ensure that not only are XSS attacks thwarted, but the resulting HTML is standards compliant.
HTML Purifier is oriented towards richly formatted documents from untrusted sources that require CSS and a full tag-set. This library can be configured to accept a more restrictive set of tags, but it won't be as efficient as more bare-bones parsers. It will, however, do the job right, which may be more important.
Places to go:
- See INSTALL for a quick installation guide
- See docs/ for developer-oriented documentation, code examples and an in-depth installation guide.
- See WYSIWYG for information on editors like TinyMCE and FCKeditor
HTML Purifier can be found on the web at: http://htmlpurifier.org/
Installation
Package available on Composer.
If you're using Composer to manage dependencies, you can use
$ composer require ezyang/htmlpurifier
Top Related Projects
Cleans HTML to avoid XSS attacks
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot