Major problems yo.
[htmlpurifier-web.git] / index.xhtml
blob6beaf52109db51cf9689a1fa237fe2a39b844ffc
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xmlns:xc="urn:xhtml-compiler"
8 xmlns:news="urn:xhtml-compiler:News"
9 xc:rss-from-git="yes"
10 xml:lang="en">
11 <head>
12 <title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
13 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
14 <meta name="description"
15 content="HTML filter that guards against XSS and ensures standards-compliant output." />
16 <meta name="keywords"
17 content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
18 <!-- See news.xhtml for definition -->
19 <link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
20 <script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
21 <!-- OpenID for Edward Z. Yang -->
22 <link rel="openid.server" href="https://pip.verisignlabs.com/server" />
23 <link rel="openid.delegate" href="http://edwardzyang.pip.verisignlabs.com/" />
24 <!-- Google OpenSearch -->
25 <link rel="search" href="opensearchdescription.xml"
26 type="application/opensearchdescription+xml"
27 title="HTML Purifier" />
28 </head>
29 <body>
31 <div id="branding">
32 <h1>
33 <span class="html">HTML</span>
34 <span class="purifier">Purifier</span>
35 </h1>
36 <blockquote>
37 <p>
38 Standards-Compliant HTML Filtering
39 </p>
40 </blockquote>
41 </div>
43 <xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />
45 <div id="main">
46 <div id="content">
48 <div id="summary">
49 <h2>Summary</h2>
50 <div id="summary-safe">
51 <h3>Safe</h3>
52 <p>
53 HTML Purifier defeats XSS with an audited whitelist
54 </p>
55 </div>
56 <div id="summary-clean">
57 <h3>Clean</h3>
58 <p>
59 HTML Purifier ensures standards-compliant output
60 </p>
61 </div>
62 <div id="summary-open">
63 <h3>Open</h3>
64 <p>
65 HTML Purifier is open-source and highly customizable
66 </p>
67 </div>
68 </div>
70 <div id="intro">
71 <p><strong style="color:red">htmlpurifier.org's host suffered from major hardware failure earlier this
72 week. I'm on some backup hosting, but some parts of the website may
73 be missing. Let me know at <code>admin@htmlpurifier.org</code> and
74 I'll try to fix problems as soon as possible.</strong></p>
75 <p><strong>HTML Purifier</strong> is a standards-compliant
76 <abbr>HTML</abbr> filter library written in
77 <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious
78 code (better known as <abbr>XSS</abbr>) with a thoroughly audited,
79 secure <em>yet</em> permissive <strong><a
80 href="live/smoketests/printDefinition.php">whitelist</a></strong>,
81 it will also make sure your documents are
82 <strong>standards compliant</strong>, something only achievable with a
83 comprehensive knowledge of <abbr>W3C</abbr>'s specifications.
84 Tired of using BBCode due to the current landscape of deficient or
85 insecure <abbr>HTML</abbr> filters? Have a
86 <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking
87 for high-quality, standards-compliant, open-source components for that
88 application you're building? HTML Purifier is for you!</p>
90 <blockquote class="fancy">
91 <div class="quote">
92 I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
93 filtering emails against XSS attacks and we've been more than impressed.
94 </div>
95 <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
96 </blockquote>
98 <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
100 </div>
102 <div class="clear">
104 <div id="BackgroundContainer">
105 <h2 id="Background">Background</h2>
107 <p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
108 there on the web already. What sets HTML Purifier apart from them?
109 Aren't all of these choices <q>secure</q>?</p>
111 <p>When it comes to <abbr>HTML</abbr>, <strong>attention to
112 detail</strong> is key. Does it perform its filtering off a
113 whitelist rather than an out-of-date blacklist? Does it filter every
114 attribute in the document? Does it actually understand <abbr>HTML</abbr>?</p>
116 <p><strong>Know thy enemy.</strong> Hackers have a huge arsenal of
117 <abbr>XSS</abbr> vectors hidden within the depths of the
118 <abbr>HTML</abbr> specification. HTML Purifier is
119 effective because it decomposes the whole document
120 into tokens and removing
121 non-whitelisted elements, checking the well-formedness and nesting of tags, and
122 validating all attributes according to their <abbr>RFC</abbr>s.
123 HTML Purifier's comprehensive algorithms are complemented by a
124 <strong>breadth of knowledge</strong>, ensuring that richly formatted
125 documents pass through unstripped.</p>
127 <p>To my knowledge, there is nothing else in the wild that offers
128 protection from <abbr>XSS</abbr>, standards-compliance, and
129 corrective processing of poorly formed <abbr>HTML</abbr>. HTML
130 Purifier is not perfect; it can interact poorly with existing
131 JavaScript on websites, which can introduces vulnerabilities after the
132 fact. However, it is pretty damn good.
133 Do your research and try out the <a href="demo.php">demo</a>.</p>
135 <p>To find out more, you can read the
136 <a href="comparison"><strong>Comparison</strong></a>
137 for a analysis of HTML Purifier and the other major filters. Or you
138 can chat with other HTML Purifier users on our
139 <a href="http://groups.google.com/group/htmlpurifier">mailing
140 list</a> and our <a href="phorum">forum</a>.</p>
142 <blockquote class="fancy">
143 <div class="quote">
144 [Y]ou save my day by allowing me not to write another damned HTML parser.
145 </div>
146 <div class="origin">
147 &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
148 </div>
149 </blockquote>
150 </div>
152 <div id="NewsContainer">
153 <h2 id="News">Recent News</h2>
155 <div class="news" news:source="news" news:limit="1" news:header="h3" />
158 <a href="news">Read earlier news...</a>
159 </p>
160 </div>
162 </div>
164 <h2 id="Plugins" class="clear">Plugins</h2>
166 <p>HTML Purifier is a great library to integrate with existing
167 <abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
168 editors. Currently, we have plugins for these applications:</p>
170 <ul>
171 <li><a href="http://www.phorum.org/phorum5/read.php?62,127035">Phorum</a> (in use at our very own forums!)</li>
172 <li><a href="http://htmlpurifier.org/dev/plugins/modx.txt">MODx</a></li>
173 <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
174 <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress and bbPress</a> by John Godley</li>
175 <li><a href="http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla</a> by Double D</li>
176 <li><a href="https://github.com/refringe/codeigniter-htmlpurifier">CodeIgniter</a> by Tyler Brownell (there is also an older plugin <a href="http://mindloop.be/htmlpurifier-and-the-codeigniter-framework/">CodeIgniter</a> by Andy Mathijs)</li>
177 <li><a href="http://www.symfony-project.org/plugins/sfXssSafePlugin">Symfony</a> by Alexandre Mogère</li>
178 <li><a href="http://github.com/josegonzalez/purifiable">CakePHP</a> by Jose Diaz-Gonzalez</li>
179 <li><a href="http://nemesisdesign.net/blog/coding/html-purifier-plugin-joomla/">Joomla</a> by Federico Capoano</li>
180 <li><a href="https://github.com/harikt/li3_htmlpurifier">Lithium</a> by Hari K T</li>
181 <li><a href="http://community.elgg.org/pg/plugins/project/725191/developer/ewinslow/html-purifier-for-elgg-18">Elgg</a> by Evan Winslow</li>
182 </ul>
185 HTML Purifier is also now in print! Martin Brampton's new book
186 <a href="http://packt.aliro.org/">PHP 5 CMS Framework Development</a>
187 includes a discussion of using HTML Purifier in your content management
188 system. Go check it out!
189 </p>
192 <strong>Notice:</strong>
193 Any plugin provided by a third party has not been vetted by us: use
194 them at your own risk. If you are having a problem with the plugin,
195 please consult the plugin author before asking for help here (we'll
196 be more than happy to help, but it might be a problem with the
197 plugin rather than HTML Purifier.)
198 </p>
200 <blockquote class="fancy">
201 <div class="quote">
202 This plugin is on top of my favorite list[.] I am going to heavily
203 depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
204 having pages that validate and are semantically sound.
205 </div>
206 <div class="origin">
207 &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
208 </div>
209 </blockquote>
211 <p>Plugins for other major applications gladly accepted!</p>
214 <h2 id="Users">Users</h2>
216 <p>Here are some open-source applications that use the latest versions of HTML Purifier:</p>
218 <table>
219 <tr><td><a href="http://qcu.be/">QCubed</a></td><td><a href="http://svn.qcu.be/qcubed/framework/branches/2.0/includes/qcubed/_core/htmlpurifier/VERSION">4.3.0</a></td></tr>
220 <tr><td><a href="http://www.lionframework.org/">Lion PHP Framework</a></td><td><a href="http://fisheye.lionframework.org:8060/browse/P4/dev/lion/stable/lion/libs/thrdparty/htmlpurifier/library/HTMLPurifier.php?r=head">4.2.0</a></td></tr>
221 <tr><td><a href="http://tikiwiki.org">Tiki Wiki CMS Groupware</a></td><td><a href="http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/third_party/htmlpurifier/HTMLPurifier.php?view=markup">4.1.1</a></td></tr>
222 <tr><td><a href="http://www.yiiframework.com/">Yii</a></td><td><a href="http://yii.googlecode.com/svn/trunk/framework/vendors/htmlpurifier/HTMLPurifier.standalone.php">4.1.1</a></td></tr>
223 <tr><td><a href="http://fivefilters.org/pdf-newspaper/">PDF Newspaper</a></td><td><a href="http://bazaar.launchpad.net/~keyvan/fivefilters/pdf-newspaper/annotate/head:/libraries/htmlpurifier/library/HTMLPurifier.php">4.1.1</a></td></tr>
224 <tr><td><a href="http://www.impresscms.org/">ImpressCMS</a></td><td><a href="http://impresscms.svn.sourceforge.net/viewvc/impresscms/core/trunk/htdocs/libraries/htmlpurifier/HTMLPurifier.standalone.php?view=markup">4.1.0</a></td></tr>
225 <tr><td><a href="http://www.midgard-project.org/">Midgard</a></td><td>via PEAR</td></tr>
226 <tr><td><a href="http://www.bitweaver.org/">BitWeaver</a></td><td><a href="http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR</a>, see <a href="http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php</a></td></tr>
227 <tr><td><a href="http://code.google.com/p/project-babel/issues/entry">Project Babel</a></td><td>via PEAR and Midgard</td></tr>
228 <tr><td><a href="http://code.google.com/p/php-atompub-server/">PHP Atompub Server</a></td><td><a href="http://code.google.com/p/php-atompub-server/wiki/SanitizingInput">via download</a></td></tr>
229 </table>
231 <p>If I've forgotten anyone, drop me a line with a link to both
232 your application and the use of HTML Purifier in your code repository,
233 and I'll add your application to this list.</p>
236 <h3>Hall of Shame</h3>
238 <p>The following projects package HTML Purifier with their software, but are
239 not up-to-date. They are putting their userbase at risk of security attacks
240 by not keeping HTML Purifier updated. If you're a user or developer for these projects, please
241 raise your voice and help to get them fixed!</p>
243 <table>
244 <tr><td><!--<a href="http://getlilina.org/">-->Lilina News Aggregator<!--</a>--></td><td><a href="http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">4.0.0</a></td></tr>
245 <tr><td><!--<a href="http://noserub.com/">-->NoseRub<!--</a>--></td><td><a href="http://noserub.googlecode.com/svn/trunk/vendors/htmlpurifier/HTMLPurifier.standalone.php">4.0.0</a></td></tr>
246 <tr><td><!--<a href="http://code.google.com/p/jibberbook/">-->Jibberbook<!--</a>--></td><td><a href="http://jibberbook.googlecode.com/svn/trunk/source/libraries/htmlpurifier/HTMLPurifier.standalone.php">3.1.1</a></td></tr>
247 <tr><td><!--<a href="http://code.google.com/p/wpids/">-->WPIDS<!--</a>--></td><td><a href="http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
248 <tr><td><!--<a href="http://code.google.com/p/xoopsbrasil/">-->XOOPS Cube BRASIL<!--</a>--></td><td><a href="http://code.google.com/p/xoopsbrasil/source/browse/xoops_trust_path/PEAR/HTMLPurifier.php">2.1.3</a></td></tr>
249 <tr><td>XDForum</td><td><a href="http://xdforum.svn.sourceforge.net/viewvc/xdforum/trunk/xdforum/includes/htmlpurifier/library/HTMLPurifier.php?view=markup">1.3.2</a></td></tr>
250 </table>
252 <h2 id="Propaganda">Spread the Word!</h2>
254 <p>Help spread awareness about HTML Purifier by:</p>
256 <ul>
257 <li><a
258 href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
259 id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
260 <li>
261 <div>Including this little <strong>label</strong> on your website:
262 <a href="http://htmlpurifier.org/"><img
263 src="live/art/powered.png"
264 alt="Powered by HTML Purifier" border="0" /></a>, with this code:
265 </div>
266 <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
267 src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
268 alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
269 </li>
270 </ul>
272 </div>
273 </div>
275 </body>
276 </html>