{"id":13698391,"url":"https://github.com/symfony/html-sanitizer","last_synced_at":"2025-05-14T16:13:28.734Z","repository":{"id":42048604,"uuid":"442404126","full_name":"symfony/html-sanitizer","owner":"symfony","description":"Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.","archived":false,"fork":false,"pushed_at":"2024-10-27T15:24:36.000Z","size":103,"stargazers_count":237,"open_issues_count":0,"forks_count":9,"subscribers_count":6,"default_branch":"7.1","last_synced_at":"2024-10-29T15:15:00.804Z","etag":null,"topics":["component","html","php","purifier","sanitizer","symfony","symfony-component"],"latest_commit_sha":null,"homepage":"https://symfony.com/html-sanitizer","language":"PHP","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/symfony.png","metadata":{"funding":{"github":"fabpot","tidelift":"packagist/symfony/symfony","custom":"https://symfony.com/sponsor"},"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-28T08:48:59.000Z","updated_at":"2024-10-01T06:59:31.000Z","dependencies_parsed_at":"2024-02-27T07:58:48.774Z","dependency_job_id":"6231c729-01c5-4793-913e-764eabd6830f","html_url":"https://github.com/symfony/html-sanitizer","commit_stats":{"total_commits":23,"total_committers":13,"mean_commits":"1.7692307692307692","dds":0.6956521739130435,"last_synced_commit":"737cbaa8082b696d0574afd91b9f471eca67fc65"},"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/symfony%2Fhtml-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/symfony%2Fhtml-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/symfony%2Fhtml-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/symfony%2Fhtml-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/symfony","download_url":"https://codeload.github.com/symfony/html-sanitizer/tar.gz/refs/heads/7.1","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248688546,"owners_count":21145764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["component","html","php","purifier","sanitizer","symfony","symfony-component"],"created_at":"2024-08-02T19:00:45.418Z","updated_at":"2025-04-13T08:58:22.231Z","avatar_url":"https://github.com/symfony.png","language":"PHP","funding_links":["https://github.com/sponsors/fabpot","https://tidelift.com/funding/github/packagist/symfony/symfony","https://symfony.com/sponsor"],"categories":["Tools and Related Libraries","Table of Contents"],"sub_categories":["HTML Handling: Serialization, Sanitization, etc","Globalization","Filtering, Sanitizing and Validation"],"readme":"HtmlSanitizer Component\n=======================\n\nThe HtmlSanitizer component provides an object-oriented API to sanitize\nuntrusted HTML input for safe insertion into a document's DOM.\n\nUsage\n-----\n\n```php\nuse Symfony\\Component\\HtmlSanitizer\\HtmlSanitizerConfig;\nuse Symfony\\Component\\HtmlSanitizer\\HtmlSanitizer;\n\n// By default, an element not added to the allowed or blocked elements\n// will be dropped, including its children\n$config = (new HtmlSanitizerConfig())\n    // Allow \"safe\" elements and attributes. All scripts will be removed\n    // as well as other dangerous behaviors like CSS injection\n    -\u003eallowSafeElements()\n\n    // Allow all static elements and attributes from the W3C Sanitizer API\n    // standard. All scripts will be removed but the output may still contain\n    // other dangerous behaviors like CSS injection (click-jacking), CSS\n    // expressions, ...\n    -\u003eallowStaticElements()\n\n    // Allow the \"div\" element and no attribute can be on it\n    -\u003eallowElement('div')\n\n    // Allow the \"a\" element, and the \"title\" attribute to be on it\n    -\u003eallowElement('a', ['title'])\n\n    // Allow the \"span\" element, and any attribute from the Sanitizer API is allowed\n    // (see https://wicg.github.io/sanitizer-api/#default-configuration)\n    -\u003eallowElement('span', '*')\n\n    // Block the \"section\" element: this element will be removed but\n    // its children will be retained\n    -\u003eblockElement('section')\n\n    // Drop the \"div\" element: this element will be removed, including its children\n    -\u003edropElement('div')\n\n    // Allow the attribute \"title\" on the \"div\" element\n    -\u003eallowAttribute('title', ['div'])\n\n    // Allow the attribute \"data-custom-attr\" on all currently allowed elements\n    -\u003eallowAttribute('data-custom-attr', '*')\n\n    // Drop the \"data-custom-attr\" attribute from the \"div\" element:\n    // this attribute will be removed\n    -\u003edropAttribute('data-custom-attr', ['div'])\n\n    // Drop the \"data-custom-attr\" attribute from all elements:\n    // this attribute will be removed\n    -\u003edropAttribute('data-custom-attr', '*')\n\n    // Forcefully set the value of all \"rel\" attributes on \"a\"\n    // elements to \"noopener noreferrer\"\n    -\u003eforceAttribute('a', 'rel', 'noopener noreferrer')\n\n    // Transform all HTTP schemes to HTTPS\n    -\u003eforceHttpsUrls()\n\n    // Configure which schemes are allowed in links (others will be dropped)\n    -\u003eallowLinkSchemes(['https', 'http', 'mailto'])\n\n    // Configure which hosts are allowed in links (by default all are allowed)\n    -\u003eallowLinkHosts(['symfony.com', 'example.com'])\n\n    // Allow relative URL in links (by default they are dropped)\n    -\u003eallowRelativeLinks()\n\n    // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped)\n    -\u003eallowMediaSchemes(['https', 'http'])\n\n    // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed)\n    -\u003eallowMediaHosts(['symfony.com', 'example.com'])\n\n    // Allow relative URL in img/audio/video/iframe (by default they are dropped)\n    -\u003eallowRelativeMedias()\n\n    // Configure a custom attribute sanitizer to apply custom sanitization logic\n    // ($attributeSanitizer instance of AttributeSanitizerInterface)\n    -\u003ewithAttributeSanitizer($attributeSanitizer)\n\n    // Unregister a previously registered attribute sanitizer\n    // ($attributeSanitizer instance of AttributeSanitizerInterface)\n    -\u003ewithoutAttributeSanitizer($attributeSanitizer)\n;\n\n$sanitizer = new HtmlSanitizer($config);\n\n// Sanitize a given string, using the configuration provided and in the\n// \"body\" context (tags only allowed in \u003chead\u003e will be removed)\n$sanitizer-\u003esanitize($userInput);\n\n// Sanitize the given string for a usage in a \u003chead\u003e tag\n$sanitizer-\u003esanitizeFor('head', $userInput);\n\n// Sanitize the given string for a usage in another tag\n$sanitizer-\u003esanitizeFor('title', $userInput); // Will encode as HTML entities\n$sanitizer-\u003esanitizeFor('textarea', $userInput); // Will encode as HTML entities\n$sanitizer-\u003esanitizeFor('div', $userInput); // Will sanitize as body\n$sanitizer-\u003esanitizeFor('section', $userInput); // Will sanitize as body\n// ...\n```\n\nResources\n---------\n\n * [Contributing](https://symfony.com/doc/current/contributing/index.html)\n * [Report issues](https://github.com/symfony/symfony/issues) and\n   [send Pull Requests](https://github.com/symfony/symfony/pulls)\n   in the [main Symfony repository](https://github.com/symfony/symfony)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsymfony%2Fhtml-sanitizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsymfony%2Fhtml-sanitizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsymfony%2Fhtml-sanitizer/lists"}