Summary
Safe
HTML Purifier defeats XSS with an audited whitelist
Clean
HTML Purifier ensures standards-compliant output
Open
HTML Purifier is open-source and highly customizable
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!
I'd just like to say we use HTML Purifier in IRIS for filtering emails against XSS attacks and we've been more than impressed.— Chris Corbyn, Senior IRIS Developer
Download
Background
There are a number of open-source HTML filtering solutions out there on the web already. What sets HTML Purifier apart from them? Aren't all of these choices “secure”?
When it comes to HTML, attention to detail is key. Does it perform its filtering off a whitelist rather than an out-of-date blacklist? Does it filter every attribute in the document? Does it actually understand HTML?
Know thy enemy. Hackers have a huge arsenal of XSS vectors hidden within the depths of the HTML specification. HTML Purifier is effective because it decomposes the whole document into tokens and removing non-whitelisted elements, checking the well-formedness and nesting of tags, and validating all attributes according to their RFCs. HTML Purifier's comprehensive algorithms are complemented by a breadth of knowledge, ensuring that richly formatted documents pass through unstripped.
To my knowledge, there is nothing else in the wild that offers protection from XSS, standards-compliance, and corrective processing of poorly formed HTML. But don't take my word for it: do your research and try out the demo.
To find out more, you can read the Comparison for a analysis of HTML Purifier and the other major filters.
[Y]ou save my day by allowing me not to write another damned HTML parser.— Joseph Halter, Technical Director at Akira Web
Recent News
News Improvements
You may have noticed some various improvements and changes to our news system; entries now get their own permalink pages and the most recent news entry shows up on the front page. These are some easily noticeable cosmetic changes demonstrating the new News DOMFilter. This filter aggregates pages following the YYYY/MMDD-name.xhtml format in a folder and places the most recent contents on one page. This is opposed to what we previously did, which was stuff all the news contents on one page and have a scraper generate RSS for us (by the way, we still use the same scraper, which is due to the quite nice modularity of the two filters).
There should be more improvements coming soon as we add the features and trappings of a standard “blog”; expect comments and improved navigation, for example. I also plan on launching a personal weblog for PHP and other development related things; stay tuned.
As usual, this software is all free and can be accessed under the XHTML Compiler project at repo.or.cz.
Plugins
HTML Purifier is a great library to integrate with existing CMSes and other applications or WYSIWYG editors. Currently, we have plugins for these applications:
- Phorum (in use at our very own forums!)
- MODx
- Drupal by Bart Jansens
- Wordpress by John Godley
- Joomla by Double D
- CodeIgniter by Andy Mathijs
HTML Purifier is also now in print! Martin Brampton's new book PHP 5 CMS Framework Development includes a discussion of using HTML Purifier in your content management system. Go check it out!
Notice: Any plugin provided by a third party has not been vetted by us: use them at your own risk. If you are having a problem with the plugin, please consult the plugin author before asking for help here (we'll be more than happy to help, but it might be a problem with the plugin rather than HTML Purifier.)
This plugin is on top of my favorite list[.] I am going to heavily depend on it since my clients insist on having WYSIWYG and I insist on having pages that validate and are semantically sound.— David Molliere, MODx Marketing & Design Team
Plugins for other major applications gladly accepted!
Users
Here are some open-source applications that use HTML Purifier:
| Aliro | 3.1.0 |
| Jibberbook | 3.1.0 |
| Mia | 3.1.0 |
| Kohana | 3.1.0 |
| Midgard | via PEAR |
| BitWeaver | via PEAR, see install_checks.php |
| Project Babel | via PEAR and Midgard |
| PHP Atompub Server | via download |
If I've forgotten anyone, drop me a line with a link to both your application and the use of HTML Purifier in your code repository, and I'll add your application to this list.
Hall of Limbo: PHP4
The following applications are using HTML Purifier 2.1, for PHP4 compatibility. While this is fine, I would much rather they go PHP5!
| There are currently no applications using an up-to-date version of HTML Purifier 2.1. |
Hall of the Past
The following projects package HTML Purifier with their software, but are not up-to-date. They are putting their userbase at risk of security attacks by not keeping HTML Purifier updated. If you're a user or developer for these projects, please raise your voice and help to get them fixed!
| WPIDS | 3.0.0 |
| NoseRub | 3.0.0 |
| Lilina News Aggregator | 2.1.3 |
| TikiWiki | 2.1.3 |
| XOOPS Cube BRASIL | 2.1.3 |
| Lichen Webmail | 2.0.1, see ticket #79 |
| PHProjekt | 1.6.0 |
| XDForum | 1.3.2 |
Spread the Word!
Help spread awareness about HTML Purifier by:
- Bookmarking this website on your del.icio.us account, and/or
-
Including this little label on your website:
, with this code:
<a href="http://htmlpurifier.org/"><img src="http://htmlpurifier.org/live/art/powered.png" alt="Powered by HTML Purifier" border="0" /></a>