File tree Expand file tree Collapse file tree 2 files changed +20
-0
lines changed Expand file tree Collapse file tree 2 files changed +20
-0
lines changed Original file line number Diff line number Diff line change @@ -23,6 +23,7 @@ This library is also available as [a Symfony bundle](https://github.com/tgalopin
23231 . [ Getting started] ( https://github.com/tgalopin/html-sanitizer/blob/master/docs/1-getting-started.md )
24242 . [ Creating an extension to allow custom tags] ( https://github.com/tgalopin/html-sanitizer/blob/master/docs/2-creating-an-extension-to-allow-custom-tags.md )
25253 . [ Configuration reference] ( https://github.com/tgalopin/html-sanitizer/blob/master/docs/3-configuration-reference.md )
26+ 4 . [ Comparison with HTMLPurifier] ( https://github.com/tgalopin/html-sanitizer/blob/master/docs/4-comparison-with-htmlpurifier.md )
2627
2728## Security Issues
2829
Original file line number Diff line number Diff line change 1+ # Comparison with HTMLPurifier
2+
3+ HTML sanitation is a vast domain and many library exist in PHP to tackle this problem. The most famous one is
4+ probably HTMLPurifier. However, html-sanitizer and HTMLPurifier do not have the same goal, even if they share a
5+ common use-case (XSS filtering).
6+
7+ HTMLPurifier aims at creating safe and valid HTML as close as possible to a given input. It wants to be generic
8+ and it is therefore quite cumbersome to configure for specific needs and constraints. It is well suited to clean
9+ full documents in which you need to keep the full structure and CSS while removing only the unsafe elements.
10+
11+ html-sanitizer is much stricter and does not try to fix the HTML provided. Instead, it builds
12+ new HTML from scratch by extracting only the safe data from the input. It aims to be used in combination with a
13+ WYSIWYG / client-side editor that output valid HTML: if the provided HTML was badly written, it means
14+ someone is trying to do something evil and the sanitizer can simply remove the invalid parts entirely.
15+
16+ An important part of html-sanitizer is predictability: by being able to configure a specific list of
17+ allowed tags and attributes, you can be certain you will only get these tags in the ouput of the sanitizer.
18+ This allows you to prevent not only XSS attacks but also all kinds of attacks related to CSS, as you are
19+ able to design properly each tag you allowed.
You can’t perform that action at this time.
0 commit comments