https://github.com/symfony/html-sanitizer

Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.
https://github.com/symfony/html-sanitizer

component html php purifier sanitizer symfony symfony-component

Last synced: 10 months ago
JSON representation

Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.

• Host: GitHub
• URL: https://github.com/symfony/html-sanitizer
• Owner: symfony
• License: mit
• Created: 2021-12-28T08:48:59.000Z (about 4 years ago)
• Default Branch: 7.1
• Last Pushed: 2024-10-27T15:24:36.000Z (over 1 year ago)
• Last Synced: 2024-10-29T15:15:00.804Z (over 1 year ago)
• Topics: component, html, php, purifier, sanitizer, symfony, symfony-component
• Language: PHP
• Homepage: https://symfony.com/html-sanitizer
• Size: 101 KB
• Stars: 237
• Watchers: 6
• Forks: 9
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-php - Symfony HTML Sanitizer - An HTML sanitizer library. (Table of Contents / Filtering, Sanitizing and Validation)
• fucking-awesome-php - Symfony HTML Sanitizer - An HTML sanitizer library. (Table of Contents / Filtering, Sanitizing and Validation)

README

          
HtmlSanitizer Component

=======================

The HtmlSanitizer component provides an object-oriented API to sanitize

untrusted HTML input for safe insertion into a document's DOM.

Usage

-----

```php

use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;

use Symfony\Component\HtmlSanitizer\HtmlSanitizer;

// By default, an element not added to the allowed or blocked elements

// will be dropped, including its children

$config = (new HtmlSanitizerConfig())

    // Allow "safe" elements and attributes. All scripts will be removed

    // as well as other dangerous behaviors like CSS injection

    ->allowSafeElements()

    // Allow all static elements and attributes from the W3C Sanitizer API

    // standard. All scripts will be removed but the output may still contain

    // other dangerous behaviors like CSS injection (click-jacking), CSS

    // expressions, ...

    ->allowStaticElements()

    // Allow the "div" element and no attribute can be on it

    ->allowElement('div')

    // Allow the "a" element, and the "title" attribute to be on it

    ->allowElement('a', ['title'])

    // Allow the "span" element, and any attribute from the Sanitizer API is allowed

    // (see https://wicg.github.io/sanitizer-api/#default-configuration)

    ->allowElement('span', '*')

    // Block the "section" element: this element will be removed but

    // its children will be retained

    ->blockElement('section')

    // Drop the "div" element: this element will be removed, including its children

    ->dropElement('div')

    // Allow the attribute "title" on the "div" element

    ->allowAttribute('title', ['div'])

    // Allow the attribute "data-custom-attr" on all currently allowed elements

    ->allowAttribute('data-custom-attr', '*')

    // Drop the "data-custom-attr" attribute from the "div" element:

    // this attribute will be removed

    ->dropAttribute('data-custom-attr', ['div'])

    // Drop the "data-custom-attr" attribute from all elements:

    // this attribute will be removed

    ->dropAttribute('data-custom-attr', '*')

    // Forcefully set the value of all "rel" attributes on "a"

    // elements to "noopener noreferrer"

    ->forceAttribute('a', 'rel', 'noopener noreferrer')

    // Transform all HTTP schemes to HTTPS

    ->forceHttpsUrls()

    // Configure which schemes are allowed in links (others will be dropped)

    ->allowLinkSchemes(['https', 'http', 'mailto'])

    // Configure which hosts are allowed in links (by default all are allowed)

    ->allowLinkHosts(['symfony.com', 'example.com'])

    // Allow relative URL in links (by default they are dropped)

    ->allowRelativeLinks()

    // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped)

    ->allowMediaSchemes(['https', 'http'])

    // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed)

    ->allowMediaHosts(['symfony.com', 'example.com'])

    // Allow relative URL in img/audio/video/iframe (by default they are dropped)

    ->allowRelativeMedias()

    // Configure a custom attribute sanitizer to apply custom sanitization logic

    // ($attributeSanitizer instance of AttributeSanitizerInterface)

    ->withAttributeSanitizer($attributeSanitizer)

    // Unregister a previously registered attribute sanitizer

    // ($attributeSanitizer instance of AttributeSanitizerInterface)

    ->withoutAttributeSanitizer($attributeSanitizer)

;

$sanitizer = new HtmlSanitizer($config);

// Sanitize a given string, using the configuration provided and in the

// "body" context (tags only allowed in  will be removed)

$sanitizer->sanitize($userInput);

// Sanitize the given string for a usage in a  tag

$sanitizer->sanitizeFor('head', $userInput);

// Sanitize the given string for a usage in another tag

$sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities

$sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities

$sanitizer->sanitizeFor('div', $userInput); // Will sanitize as body

$sanitizer->sanitizeFor('section', $userInput); // Will sanitize as body

// ...

```

Resources

---------

 * [Contributing](https://symfony.com/doc/current/contributing/index.html)

 * [Report issues](https://github.com/symfony/symfony/issues) and

   [send Pull Requests](https://github.com/symfony/symfony/pulls)

   in the [main Symfony repository](https://github.com/symfony/symfony)