Forward-proof the demo.
[htmlpurifier-web.git] / index.xhtml
blobf7f94a3c7af4bfae97e1a6f2b4c5104fa24f6c6c
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xmlns:xc="urn:xhtml-compiler"
8 xmlns:news="urn:xhtml-compiler:News"
9 xc:rss-from-git="yes"
10 xml:lang="en">
11 <head>
12 <title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
13 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
14 <meta name="description"
15 content="HTML filter that guards against XSS and ensures standards-compliant output." />
16 <meta name="keywords"
17 content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
18 <!-- See news.xhtml for definition -->
19 <link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
20 <script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
21 <!-- OpenID for Edward Z. Yang -->
22 <link rel="openid.server" href="https://pip.verisignlabs.com/server" />
23 <link rel="openid.delegate" href="http://edwardzyang.pip.verisignlabs.com/" />
24 <!-- Google OpenSearch -->
25 <link rel="search" href="opensearchdescription.xml"
26 type="application/opensearchdescription+xml"
27 title="HTML Purifier" />
28 </head>
29 <body>
31 <div id="branding">
32 <h1>
33 <span class="html">HTML</span>
34 <span class="purifier">Purifier</span>
35 </h1>
36 <blockquote>
37 <p>
38 Standards-Compliant HTML Filtering
39 </p>
40 </blockquote>
41 </div>
43 <xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />
45 <div id="main">
46 <div id="content">
48 <div id="summary">
49 <h2>Summary</h2>
50 <div id="summary-safe">
51 <h3>Safe</h3>
52 <p>
53 HTML Purifier defeats XSS with an audited whitelist
54 </p>
55 </div>
56 <div id="summary-clean">
57 <h3>Clean</h3>
58 <p>
59 HTML Purifier ensures standards-compliant output
60 </p>
61 </div>
62 <div id="summary-open">
63 <h3>Open</h3>
64 <p>
65 HTML Purifier is open-source and highly customizable
66 </p>
67 </div>
68 </div>
70 <div id="intro">
71 <p><strong>HTML Purifier</strong> is a standards-compliant
72 <abbr>HTML</abbr> filter library written in
73 <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious
74 code (better known as <abbr>XSS</abbr>) with a thoroughly audited,
75 secure <em>yet</em> permissive <strong><a
76 href="live/smoketests/printDefinition.php">whitelist</a></strong>,
77 it will also make sure your documents are
78 <strong>standards compliant</strong>, something only achievable with a
79 comprehensive knowledge of <abbr>W3C</abbr>'s specifications.
80 Tired of using BBCode due to the current landscape of deficient or
81 insecure <abbr>HTML</abbr> filters? Have a
82 <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking
83 for high-quality, standards-compliant, open-source components for that
84 application you're building? HTML Purifier is for you!</p>
86 <blockquote class="fancy">
87 <div class="quote">
88 I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
89 filtering emails against XSS attacks and we've been more than impressed.
90 </div>
91 <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
92 </blockquote>
94 <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
96 </div>
98 <div class="clear">
100 <div id="BackgroundContainer">
101 <h2 id="Background">Background</h2>
103 <p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
104 there on the web already. What sets HTML Purifier apart from them?
105 Aren't all of these choices <q>secure</q>?</p>
107 <p>When it comes to <abbr>HTML</abbr>, <strong>attention to
108 detail</strong> is key. Does it perform its filtering off a
109 whitelist rather than an out-of-date blacklist? Does it filter every
110 attribute in the document? Does it actually understand <abbr>HTML</abbr>?</p>
112 <p><strong>Know thy enemy.</strong> Hackers have a huge arsenal of
113 <abbr>XSS</abbr> vectors hidden within the depths of the
114 <abbr>HTML</abbr> specification. HTML Purifier is
115 effective because it decomposes the whole document
116 into tokens and removing
117 non-whitelisted elements, checking the well-formedness and nesting of tags, and
118 validating all attributes according to their <abbr>RFC</abbr>s.
119 HTML Purifier's comprehensive algorithms are complemented by a
120 <strong>breadth of knowledge</strong>, ensuring that richly formatted
121 documents pass through unstripped.</p>
123 <p>To my knowledge, there is nothing else in the wild that offers
124 protection from <abbr>XSS</abbr>, standards-compliance, and
125 corrective processing of poorly formed <abbr>HTML</abbr>.
126 But don't take my word for it:
127 do your research and try out the <a href="demo.php">demo</a>.</p>
129 <p>To find out more, you can read the
130 <a href="comparison.html"><strong>Comparison</strong></a>
131 for a analysis of HTML Purifier and the other major filters.</p>
133 <blockquote class="fancy">
134 <div class="quote">
135 [Y]ou save my day by allowing me not to write another damned HTML parser.
136 </div>
137 <div class="origin">
138 &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
139 </div>
140 </blockquote>
141 </div>
143 <div id="NewsContainer">
144 <h2 id="News">Recent News</h2>
146 <div class="news" news:source="news" news:limit="1" news:header="h3" />
149 <a href="news.html">Read earlier news...</a>
150 </p>
151 </div>
153 </div>
155 <h2 id="Plugins" class="clear">Plugins</h2>
157 <p>HTML Purifier is a great library to integrate with existing
158 <abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
159 editors. Currently, we have plugins for these applications:</p>
161 <ul>
162 <li><a href="http://www.phorum.org/phorum5/read.php?62,127035">Phorum</a> (in use at our very own forums!)</li>
163 <li><a href="http://htmlpurifier.org/dev/plugins/modx.txt">MODx</a></li>
164 <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
165 <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress</a> by John Godley</li>
166 <li><a href="http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla</a> by Double D</li>
167 <li><a href="http://www.mindloop.be/nieuws/nieuwe-ontwikkelingen/htmlpurifier-and-the-codeigniter-framework">CodeIgniter</a> by Andy Mathijs</li>
168 <li><a href="http://www.symfony-project.org/plugins/sfXssSafePlugin">Symfony</a> by Alexandre Mogère</li>
169 </ul>
172 HTML Purifier is also now in print! Martin Brampton's new book
173 <a href="http://packt.aliro.org/">PHP 5 CMS Framework Development</a>
174 includes a discussion of using HTML Purifier in your content management
175 system. Go check it out!
176 </p>
179 <strong>Notice:</strong>
180 Any plugin provided by a third party has not been vetted by us: use
181 them at your own risk. If you are having a problem with the plugin,
182 please consult the plugin author before asking for help here (we'll
183 be more than happy to help, but it might be a problem with the
184 plugin rather than HTML Purifier.)
185 </p>
187 <blockquote class="fancy">
188 <div class="quote">
189 This plugin is on top of my favorite list[.] I am going to heavily
190 depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
191 having pages that validate and are semantically sound.
192 </div>
193 <div class="origin">
194 &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
195 </div>
196 </blockquote>
198 <p>Plugins for other major applications gladly accepted!</p>
201 <h2 id="Users">Users</h2>
203 <p>Here are some open-source applications that use HTML Purifier:</p>
205 <table>
206 <tr><td><a href="http://info.tikiwiki.org/tiki-index.php">TikiWiki</a></td><td><a href="http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/third_party/htmlpurifier/HTMLPurifier.php?view=markup">3.2.0</a> (TikiWiki was incorrectly reported as being out-of-date since May 2008)</td></tr>
207 <tr><td><a href="http://www.yiiframework.com/">Yii</a></td><td><a href="http://yii.googlecode.com/svn/trunk/framework/vendors/htmlpurifier/HTMLPurifier.standalone.php">3.2.0</a></td></tr>
208 <tr><td><a href="http://www.impresscms.org/">ImpressCMS</a></td><td><a href="http://impresscms.svn.sourceforge.net/viewvc/impresscms/core/trunk/htdocs/libraries/htmlpurifier/HTMLPurifier.standalone.php?view=markup">3.1.1</a></td></tr>
209 <tr><td><a href="http://noserub.com/">NoseRub</a></td><td><a href="http://code.google.com/p/noserub/source/browse/branches/development/vendors/htmlpurifier/HTMLPurifier.php">3.1.1</a></td></tr>
210 <tr><td><a href="http://code.google.com/p/jibberbook/">Jibberbook</a></td><td><a href="http://jibberbook.googlecode.com/svn/trunk/source/libraries/htmlpurifier/HTMLPurifier.standalone.php">3.1.1</a></td></tr>
211 <tr><td><a href="http://brilaps.com/index.php?content=mia">Mia</a></td><td><a href="http://code.google.com/p/mia-chat/source/browse/trunk/mia_0_8_x/includes/htmlpurifier/HTMLPurifier.php">3.1.1</a></td></tr>
212 <tr><td><a href="http://kohanaphp.com/home.html">Kohana</a></td><td><a href="http://trac.kohanaphp.com/browser/trunk/system/vendor">3.1.1</a></td></tr>
213 <tr><td><a href="http://getlilina.org/">Lilina News Aggregator</a></td><td><a href="http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">3.1.1</a></td></tr>
214 <tr><td><a href="http://www.midgard-project.org/">Midgard</a></td><td>via PEAR</td></tr>
215 <tr><td><a href="http://www.bitweaver.org/">BitWeaver</a></td><td><a href="http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR</a>, see <a href="http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php</a></td></tr>
216 <tr><td><a href="http://code.google.com/p/project-babel/issues/entry">Project Babel</a></td><td>via PEAR and Midgard</td></tr>
217 <tr><td><a href="http://code.google.com/p/php-atompub-server/">PHP Atompub Server</a></td><td><a href="http://code.google.com/p/php-atompub-server/wiki/SanitizingInput">via download</a></td></tr>
218 </table>
220 <p>If I've forgotten anyone, drop me a line with a link to both
221 your application and the use of HTML Purifier in your code repository,
222 and I'll add your application to this list.</p>
225 <h3>Hall of Shame</h3>
227 <p>The following projects package HTML Purifier with their software, but are
228 not up-to-date. They are putting their userbase at risk of security attacks
229 by not keeping HTML Purifier updated. If you're a user or developer for these projects, please
230 raise your voice and help to get them fixed!</p>
232 <table>
233 <tr><td><!--<a href="http://code.google.com/p/wpids/">-->WPIDS<!--</a>--></td><td><a href="http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
234 <tr><td>Lichen Webmail</td><td><a href="http://trac.lichen-mail.org/browser/trunk/libs/HTMLPurifier.php">2.1.4</a>, see <a href="https://trac.lichen-mail.org/ticket/79">ticket #79</a></td></tr>
235 <tr><td><!--<a href="http://code.google.com/p/xoopsbrasil/">-->XOOPS Cube BRASIL<!--</a>--></td><td><a href="http://code.google.com/p/xoopsbrasil/source/browse/xoops_trust_path/PEAR/HTMLPurifier.php">2.1.3</a></td></tr>
236 <tr><td>XDForum</td><td><a href="http://xdforum.svn.sourceforge.net/viewvc/xdforum/trunk/xdforum/includes/htmlpurifier/library/HTMLPurifier.php?view=markup">1.3.2</a></td></tr>
237 </table>
239 <h2 id="Propaganda">Spread the Word!</h2>
241 <p>Help spread awareness about HTML Purifier by:</p>
243 <ul>
244 <li><a
245 href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
246 id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
247 <li>
248 <div>Including this little <strong>label</strong> on your website:
249 <a href="http://htmlpurifier.org/"><img
250 src="live/art/powered.png"
251 alt="Powered by HTML Purifier" border="0" /></a>, with this code:
252 </div>
253 <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
254 src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
255 alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
256 </li>
257 </ul>
259 </div>
260 </div>
262 </body>
263 </html>