1
<?xml version=
"1.0" encoding=
"UTF-8"?>
2 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
5 xmlns=
"http://www.w3.org/1999/xhtml"
6 xmlns:
xi=
"http://www.w3.org/2001/XInclude"
7 xmlns:
xc=
"urn:xhtml-compiler"
8 xmlns:
news=
"urn:xhtml-compiler:News"
12 <title>HTML Purifier - Filter your HTML the standards-compliant way!
</title>
13 <xi:include href=
"common-meta.xml" xpointer=
"xpointer(/*/node())" />
14 <meta name=
"description"
15 content=
"HTML filter that guards against XSS and ensures standards-compliant output." />
17 content=
"HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
18 <!-- See news.xhtml for definition -->
19 <link rel=
"alternate" type=
"application/rss+xml" title=
"News - HTML Purifier" href=
"news.rss" />
20 <script defer=
"defer" type=
"text/javascript" src=
"del.icio.us.js" xc:
absolute=
"src"></script>
21 <!-- OpenID for Edward Z. Yang -->
22 <link rel=
"openid.server" href=
"https://pip.verisignlabs.com/server" />
23 <link rel=
"openid.delegate" href=
"http://edwardzyang.pip.verisignlabs.com/" />
24 <!-- Google OpenSearch -->
25 <link rel=
"search" href=
"opensearchdescription.xml"
26 type=
"application/opensearchdescription+xml"
27 title=
"HTML Purifier" />
33 <span class=
"html">HTML
</span>
34 <span class=
"purifier">Purifier
</span>
38 Standards-Compliant HTML Filtering
43 <xi:include href=
"common-navigation.xml" xpointer=
"xpointer(/*/node())" />
50 <div id=
"summary-safe">
53 HTML Purifier defeats XSS with an audited whitelist
56 <div id=
"summary-clean">
59 HTML Purifier ensures standards-compliant output
62 <div id=
"summary-open">
65 HTML Purifier is open-source and highly customizable
71 <p><strong>HTML Purifier
</strong> is a standards-compliant
72 <abbr>HTML
</abbr> filter library written in
73 <abbr>PHP
</abbr>. HTML Purifier will not only remove all malicious
74 code (better known as
<abbr>XSS
</abbr>) with a thoroughly audited,
75 secure
<em>yet
</em> permissive
<strong><a
76 href=
"live/smoketests/printDefinition.php">whitelist
</a></strong>,
77 it will also make sure your documents are
78 <strong>standards compliant
</strong>, something only achievable with a
79 comprehensive knowledge of
<abbr>W3C
</abbr>'s specifications.
80 Tired of using BBCode due to the current landscape of deficient or
81 insecure
<abbr>HTML
</abbr> filters? Have a
82 <strong><acronym>WYSIWYG
</acronym></strong> editor but never been able to use it? Looking
83 for high-quality, standards-compliant, open-source components for that
84 application you're building? HTML Purifier is for you!
</p>
86 <blockquote class=
"fancy">
88 I'd just like to say we use HTML Purifier in
<a href=
"http://www.iris.ac/">IRIS
</a> for
89 filtering emails against XSS attacks and we've been more than impressed.
91 <div class=
"origin">— Chris Corbyn,
<em>Senior IRIS Developer
</em></div>
94 <xi:include href=
"download-box.xml" xpointer=
"xpointer(/*/node())" />
100 <div id=
"BackgroundContainer">
101 <h2 id=
"Background">Background
</h2>
103 <p>There are a number of open-source
<abbr>HTML
</abbr> filtering solutions out
104 there on the web already. What sets HTML Purifier apart from them?
105 Aren't all of these choices
<q>secure
</q>?
</p>
107 <p>When it comes to
<abbr>HTML
</abbr>,
<strong>attention to
108 detail
</strong> is key. Does it perform its filtering off a
109 whitelist rather than an out-of-date blacklist? Does it filter every
110 attribute in the document? Does it actually understand
<abbr>HTML
</abbr>?
</p>
112 <p><strong>Know thy enemy.
</strong> Hackers have a huge arsenal of
113 <abbr>XSS
</abbr> vectors hidden within the depths of the
114 <abbr>HTML
</abbr> specification. HTML Purifier is
115 effective because it decomposes the whole document
116 into tokens and removing
117 non-whitelisted elements, checking the well-formedness and nesting of tags, and
118 validating all attributes according to their
<abbr>RFC
</abbr>s.
119 HTML Purifier's comprehensive algorithms are complemented by a
120 <strong>breadth of knowledge
</strong>, ensuring that richly formatted
121 documents pass through unstripped.
</p>
123 <p>To my knowledge, there is nothing else in the wild that offers
124 protection from
<abbr>XSS
</abbr>, standards-compliance, and
125 corrective processing of poorly formed
<abbr>HTML
</abbr>. HTML
126 Purifier is not perfect; it can interact poorly with existing
127 JavaScript on websites, which can introduces vulnerabilities after the
128 fact. However, it is pretty damn good.
129 Do your research and try out the
<a href=
"demo.php">demo
</a>.
</p>
131 <p>To find out more, you can read the
132 <a href=
"comparison"><strong>Comparison
</strong></a>
133 for a analysis of HTML Purifier and the other major filters. Or you
134 can chat with other HTML Purifier users on our
135 <a href=
"http://groups.google.com/group/htmlpurifier">mailing
136 list
</a> and our
<a href=
"phorum">forum
</a>.
</p>
138 <blockquote class=
"fancy">
140 [Y]ou save my day by allowing me not to write another damned HTML parser.
143 — Joseph Halter,
<em>Technical Director at Akira Web
</em>
148 <div id=
"NewsContainer">
149 <h2 id=
"News">Recent News
</h2>
151 <div class=
"news" news:
source=
"news" news:
limit=
"1" news:
header=
"h3" />
154 <a href=
"news">Read earlier news...
</a>
160 <div class=
"clear"></div>
162 <h2 id=
"Ports">Ports
</h2>
164 <p>HTML Purifier has been
<a href=
"https://github.com/Mynigma/HTMLPurifier">partially ported to Objective C
</a> by Roman Priebe and Lukas Neumann.
</p>
166 <h2 id=
"Plugins">Plugins
</h2>
168 <p>HTML Purifier is a great library to integrate with existing
169 <abbr>CMS
</abbr>es and other applications or
<acronym>WYSIWYG
</acronym>
170 editors. Currently, we have plugins for these applications:
</p>
173 <li><a href=
"http://www.phorum.org/phorum5/read.php?62,127035">Phorum
</a> (in use at our very own forums!)
</li>
174 <li><a href=
"http://htmlpurifier.org/dev/plugins/modx.txt">MODx
</a></li>
175 <li><a href=
"http://bart.motd.be/projects/html-purifier-drupal-module">Drupal
</a> by Bart Jansens
</li>
176 <li><a href=
"http://urbangiraffe.com/plugins/html-purified/">Wordpress and bbPress
</a> by John Godley
</li>
177 <li><a href=
"http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla
</a> by Double D
</li>
178 <li><a href=
"https://github.com/refringe/codeigniter-htmlpurifier">CodeIgniter
</a> by Tyler Brownell (there is also an older plugin
<a href=
"http://mindloop.be/htmlpurifier-and-the-codeigniter-framework/">CodeIgniter
</a> by Andy Mathijs)
</li>
179 <li><a href=
"http://www.symfony-project.org/plugins/sfXssSafePlugin">Symfony
</a> by Alexandre Mogère
</li>
180 <li><a href=
"http://github.com/josegonzalez/purifiable">CakePHP
</a> by Jose Diaz-Gonzalez
</li>
181 <li><a href=
"http://nemesisdesign.net/blog/coding/html-purifier-plugin-joomla/">Joomla
</a> by Federico Capoano
</li>
182 <li><a href=
"https://github.com/harikt/li3_htmlpurifier">Lithium
</a> by Hari K T
</li>
183 <li><a href=
"http://community.elgg.org/pg/plugins/project/725191/developer/ewinslow/html-purifier-for-elgg-18">Elgg
</a> by Evan Winslow
</li>
184 <li><a href=
"http://addons.silverstripe.org/add-ons/zirak/htmlpurifier">SilverStripe CMS
</a> by Gabriele Brosulo
</li>
188 HTML Purifier is also now in print! Martin Brampton's new book
189 <a href=
"http://packt.aliro.org/">PHP
5 CMS Framework Development
</a>
190 includes a discussion of using HTML Purifier in your content management
191 system. Go check it out!
195 <strong>Notice:
</strong>
196 Any plugin provided by a third party has not been vetted by us: use
197 them at your own risk. If you are having a problem with the plugin,
198 please consult the plugin author before asking for help here (we'll
199 be more than happy to help, but it might be a problem with the
200 plugin rather than HTML Purifier.)
203 <blockquote class=
"fancy">
205 This plugin is on top of my favorite list[.] I am going to heavily
206 depend on it since my clients insist on having
<acronym>WYSIWYG
</acronym> and I insist on
207 having pages that validate and are semantically sound.
210 — David Molliere,
<em>MODx Marketing
& Design Team
</em>
214 <p>Plugins for other major applications gladly accepted!
</p>
217 <h2 id=
"Users">Users
</h2>
219 <p>Here are some open-source applications that use the latest versions of HTML Purifier:
</p>
222 <tr><td><a href=
"http://www.xoops.org">XOOPS
</a></td><td><a href=
"http://sourceforge.net/p/xoops/svn/HEAD/tree/XoopsCore/branches/2.5.x/2.5.7/htdocs/xoops_lib/modules/protector/library/">4.6.0</a></td></tr>
223 <tr><td><a href=
"http://reason.carleton.edu/">Reason CMS
</a></td><td><a href=
"https://github.com/carleton/reason_package/tree/master/htmlpurifier">4.6.0</a></td></tr>
224 <tr><td><a href=
"http://www.yiiframework.com/">Yii
</a></td><td><a href=
"https://github.com/yiisoft/yii/blob/master/CHANGELOG">4.6.0</a></td></tr>
225 <tr><td><a href=
"http://tikiwiki.org">Tiki Wiki CMS Groupware
</a></td><td><a href=
"http://sourceforge.net/p/tikiwiki/code/HEAD/tree/trunk/composer.json">4.6.0</a></td></tr>
226 <tr><td><a href=
"http://www.impresscms.org/">ImpressCMS
</a></td><td><a href=
"http://www.assembla.com/code/impresscms/subversion/nodes/trunk/htdocs/libraries/htmlpurifier">4.4.0</a></td></tr>
227 <tr><td><a href=
"http://qcu.be/">QCubed
</a></td><td><a href=
"http://trac.qcu.be/projects/qcubed/browser/framework/branches/2.0/includes/external_libraries/htmlpurifier">4.4.0</a></td></tr>
228 <tr><td><a href=
"http://www.midgard-project.org/">Midgard
</a></td><td>via PEAR
</td></tr>
229 <tr><td><a href=
"http://www.bitweaver.org/">BitWeaver
</a></td><td><a href=
"http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR
</a>, see
<a href=
"http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php
</a></td></tr>
230 <tr><td><a href=
"http://code.google.com/p/project-babel/issues/entry">Project Babel
</a></td><td>via PEAR and Midgard
</td></tr>
231 <tr><td><a href=
"http://code.google.com/p/php-atompub-server/">PHP Atompub Server
</a></td><td><a href=
"http://code.google.com/p/php-atompub-server/wiki/SanitizingInput">via download
</a></td></tr>
234 <p>If I've forgotten anyone, drop me a line with a link to both
235 your application and the use of HTML Purifier in your code repository,
236 and I'll add your application to this list.
</p>
239 <h3>Hall of Shame
</h3>
241 <p>The following projects package HTML Purifier with their software, but are
242 not up-to-date. They are putting their userbase at risk of security attacks
243 by not keeping HTML Purifier updated. If you're a user or developer for these projects, please
244 raise your voice and help to get them fixed!
</p>
247 <tr><td><!--<a href="https://github.com/aparraga/phal">-->Phal
<!--</a>--></td><td><a href=
"https://github.com/aparraga/phal/blob/master/phal/thrdparty/htmlpurifier/VERSION">4.2.0</a></td></tr>
248 <tr><td><!--<a href="http://fivefilters.org/pdf-newspaper/">-->PDF Newspaper
<!--</a>--></td><td><a href=
"http://bazaar.launchpad.net/~keyvan/fivefilters/pdf-newspaper/annotate/head:/libraries/htmlpurifier/library/HTMLPurifier.php">4.1.1</a></td></tr>
249 <tr><td><!--<a href="http://getlilina.org/">-->Lilina News Aggregator
<!--</a>--></td><td><a href=
"http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">4.0.0</a></td></tr>
250 <tr><td><!--<a href="http://noserub.com/">-->NoseRub
<!--</a>--></td><td><a href=
"http://noserub.googlecode.com/svn/trunk/vendors/htmlpurifier/HTMLPurifier.standalone.php">4.0.0</a></td></tr>
251 <tr><td><!--<a href="http://code.google.com/p/jibberbook/">-->Jibberbook
<!--</a>--></td><td><a href=
"http://jibberbook.googlecode.com/svn/trunk/source/libraries/htmlpurifier/HTMLPurifier.standalone.php">3.1.1</a></td></tr>
252 <tr><td><!--<a href="http://code.google.com/p/wpids/">-->WPIDS
<!--</a>--></td><td><a href=
"http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
253 <tr><td><!--<a href="http://code.google.com/p/xoopsbrasil/">-->XOOPS Cube BRASIL
<!--</a>--></td><td><a href=
"http://code.google.com/p/xoopsbrasil/source/browse/xoops_trust_path/PEAR/HTMLPurifier.php">2.1.3</a></td></tr>
254 <tr><td>XDForum
</td><td><a href=
"http://xdforum.svn.sourceforge.net/viewvc/xdforum/trunk/xdforum/includes/htmlpurifier/library/HTMLPurifier.php?view=markup">1.3.2</a></td></tr>
257 <h2 id=
"Propaganda">Spread the Word!
</h2>
259 <p>Help spread awareness about HTML Purifier by:
</p>
263 href=
"http://del.icio.us/post?v=4&noui&url=http://htmlpurifier.org/&title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
264 id=
"delicious">Bookmarking this website
</a> on your
<strong>del.icio.us
</strong> account, and/or
</li>
266 <div>Including this little
<strong>label
</strong> on your website:
267 <a href=
"http://htmlpurifier.org/"><img
268 src=
"live/art/powered.png"
269 alt=
"Powered by HTML Purifier" border=
"0" /></a>, with this code:
271 <pre class=
"long"><a href=
"http://htmlpurifier.org/
"><img
272 src=
"http://htmlpurifier.org/live/art/powered.png
"
273 alt=
"Powered by HTML Purifier
" border=
"0" /
></a
></pre>