This package is in beta for now, until we are confident that every aspect of security related to HTML sanitation is appropriately covered.
html-sanitizer is a library aiming at handling, cleaning and sanitizing HTML sent by external users (who you cannot trust), allowing you to store it and display it safely. It has sensible defaults to provide a great developer experience while still being entirely configurable.
Internally, the sanitizer has a deep understanding of HTML: it parses the input and create a tree of DOMNode objects, which it uses to keep only the safe elements from the content. By using this technique, it is safe (it works with a strict whitelist), fast and easily extensible.
It also provides useful features such as the possibility to transform images or iframes URLs to HTTPS.
This library is also available as a Symfony bundle.
If you discover a security vulnerability within Symfony, please follow our disclosure procedure.
Many thanks to:
- The Open Web Application Security Project from which many of the tests of this library are extracted (more specifically from OWASP/java-html-sanitizer) ;
- Masterminds/html5-php which is a great HTML5 parser, used by default in this library ;
- The PHP League URI parser which allows this library to filter hosts safely ;