1
<?xml version=
"1.0" encoding=
"UTF-8"?>
2 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
5 xmlns=
"http://www.w3.org/1999/xhtml"
6 xmlns:
xi=
"http://www.w3.org/2001/XInclude"
7 xmlns:
xc=
"urn:xhtml-compiler"
8 xmlns:
news=
"urn:xhtml-compiler:News"
12 <title>HTML Purifier - Filter your HTML the standards-compliant way!
</title>
13 <xi:include href=
"common-meta.xml" xpointer=
"xpointer(/*/node())" />
14 <meta name=
"description"
15 content=
"HTML filter that guards against XSS and ensures standards-compliant output." />
17 content=
"HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
18 <!-- See news.xhtml for definition -->
19 <link rel=
"alternate" type=
"application/rss+xml" title=
"News - HTML Purifier" href=
"news.rss" />
20 <script defer=
"defer" type=
"text/javascript" src=
"del.icio.us.js" xc:
absolute=
"src"></script>
21 <!-- OpenID for Edward Z. Yang -->
22 <link rel=
"openid.server" href=
"https://pip.verisignlabs.com/server" />
23 <link rel=
"openid.delegate" href=
"http://edwardzyang.pip.verisignlabs.com/" />
24 <!-- Google OpenSearch -->
25 <link rel=
"search" href=
"opensearchdescription.xml"
26 type=
"application/opensearchdescription+xml"
27 title=
"HTML Purifier" />
33 <span class=
"html">HTML
</span>
34 <span class=
"purifier">Purifier
</span>
38 Standards-Compliant HTML Filtering
43 <xi:include href=
"common-navigation.xml" xpointer=
"xpointer(/*/node())" />
50 <div id=
"summary-safe">
53 HTML Purifier defeats XSS with an audited whitelist
56 <div id=
"summary-clean">
59 HTML Purifier ensures standards-compliant output
62 <div id=
"summary-open">
65 HTML Purifier is open-source and highly customizable
71 <p><strong>HTML Purifier
</strong> is a standards-compliant
72 <abbr>HTML
</abbr> filter library written in
73 <abbr>PHP
</abbr>. HTML Purifier will not only remove all malicious
74 code (better known as
<abbr>XSS
</abbr>) with a thoroughly audited,
75 secure
<em>yet
</em> permissive
<strong><a
76 href=
"live/smoketests/printDefinition.php">whitelist
</a></strong>,
77 it will also make sure your documents are
78 <strong>standards compliant
</strong>, something only achievable with a
79 comprehensive knowledge of
<abbr>W3C
</abbr>'s specifications.
80 Tired of using BBCode due to the current landscape of deficient or
81 insecure
<abbr>HTML
</abbr> filters? Have a
82 <strong><acronym>WYSIWYG
</acronym></strong> editor but never been able to use it? Looking
83 for high-quality, standards-compliant, open-source components for that
84 application you're building? HTML Purifier is for you!
</p>
86 <blockquote class=
"fancy">
88 I'd just like to say we use HTML Purifier in
<a href=
"http://www.iris.ac/">IRIS
</a> for
89 filtering emails against XSS attacks and we've been more than impressed.
91 <div class=
"origin">— Chris Corbyn,
<em>Senior IRIS Developer
</em></div>
94 <xi:include href=
"download-box.xml" xpointer=
"xpointer(/*/node())" />
100 <div id=
"BackgroundContainer">
101 <h2 id=
"Background">Background
</h2>
103 <p>There are a number of open-source
<abbr>HTML
</abbr> filtering solutions out
104 there on the web already. What sets HTML Purifier apart from them?
105 Aren't all of these choices
<q>secure
</q>?
</p>
107 <p>When it comes to
<abbr>HTML
</abbr>,
<strong>attention to
108 detail
</strong> is key. Does it perform its filtering off a
109 whitelist rather than an out-of-date blacklist? Does it filter every
110 attribute in the document? Does it actually understand
<abbr>HTML
</abbr>?
</p>
112 <p><strong>Know thy enemy.
</strong> Hackers have a huge arsenal of
113 <abbr>XSS
</abbr> vectors hidden within the depths of the
114 <abbr>HTML
</abbr> specification. HTML Purifier is
115 effective because it decomposes the whole document
116 into tokens and removing
117 non-whitelisted elements, checking the well-formedness and nesting of tags, and
118 validating all attributes according to their
<abbr>RFC
</abbr>s.
119 HTML Purifier's comprehensive algorithms are complemented by a
120 <strong>breadth of knowledge
</strong>, ensuring that richly formatted
121 documents pass through unstripped.
</p>
123 <p>To my knowledge, there is nothing else in the wild that offers
124 protection from
<abbr>XSS
</abbr>, standards-compliance, and
125 corrective processing of poorly formed
<abbr>HTML
</abbr>.
126 But don't take my word for it:
127 do your research and try out the
<a href=
"demo.php">demo
</a>.
</p>
129 <p>To find out more, you can read the
130 <a href=
"comparison.html"><strong>Comparison
</strong></a>
131 for a analysis of HTML Purifier and the other major filters.
</p>
133 <blockquote class=
"fancy">
135 [Y]ou save my day by allowing me not to write another damned HTML parser.
138 — Joseph Halter,
<em>Technical Director at Akira Web
</em>
143 <div id=
"NewsContainer">
144 <h2 id=
"News">Recent News
</h2>
146 <div class=
"news" news:
source=
"news" news:
limit=
"1" news:
header=
"h3" />
149 <a href=
"news.html">Read earlier news...
</a>
155 <h2 id=
"Plugins" class=
"clear">Plugins
</h2>
157 <p>HTML Purifier is a great library to integrate with existing
158 <abbr>CMS
</abbr>es and other applications or
<acronym>WYSIWYG
</acronym>
159 editors. Currently, we have plugins for these applications:
</p>
162 <li><a href=
"http://www.phorum.org/phorum5/read.php?62,127035">Phorum
</a> (in use at our very own forums!)
</li>
163 <li><a href=
"http://htmlpurifier.org/dev/plugins/modx.txt">MODx
</a></li>
164 <li><a href=
"http://bart.motd.be/projects/html-purifier-drupal-module">Drupal
</a> by Bart Jansens
</li>
165 <li><a href=
"http://urbangiraffe.com/plugins/html-purified/">Wordpress
</a> by John Godley
</li>
166 <li><a href=
"http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla
</a> by Double D
</li>
167 <li><a href=
"http://www.mindloop.be/nieuws/nieuwe-ontwikkelingen/htmlpurifier-and-the-codeigniter-framework">CodeIgniter
</a> by Andy Mathijs
</li>
168 <li><a href=
"http://www.symfony-project.org/plugins/sfXssSafePlugin">Symfony
</a> by Alexandre Mogère
</li>
172 HTML Purifier is also now in print! Martin Brampton's new book
173 <a href=
"http://packt.aliro.org/">PHP
5 CMS Framework Development
</a>
174 includes a discussion of using HTML Purifier in your content management
175 system. Go check it out!
179 <strong>Notice:
</strong>
180 Any plugin provided by a third party has not been vetted by us: use
181 them at your own risk. If you are having a problem with the plugin,
182 please consult the plugin author before asking for help here (we'll
183 be more than happy to help, but it might be a problem with the
184 plugin rather than HTML Purifier.)
187 <blockquote class=
"fancy">
189 This plugin is on top of my favorite list[.] I am going to heavily
190 depend on it since my clients insist on having
<acronym>WYSIWYG
</acronym> and I insist on
191 having pages that validate and are semantically sound.
194 — David Molliere,
<em>MODx Marketing
& Design Team
</em>
198 <p>Plugins for other major applications gladly accepted!
</p>
201 <h2 id=
"Users">Users
</h2>
203 <p>Here are some open-source applications that use HTML Purifier:
</p>
206 <tr><td><a href=
"http://info.tikiwiki.org/tiki-index.php">TikiWiki
</a></td><td><a href=
"http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/third_party/htmlpurifier/HTMLPurifier.php?view=markup">3.2.0</a> (TikiWiki was incorrectly reported as being out-of-date since May
2008)
</td></tr>
207 <tr><td><a href=
"http://www.yiiframework.com/">Yii
</a></td><td><a href=
"http://yii.googlecode.com/svn/trunk/framework/vendors/htmlpurifier/HTMLPurifier.standalone.php">3.2.0</a></td></tr>
208 <tr><td><a href=
"http://www.impresscms.org/">ImpressCMS
</a></td><td><a href=
"http://impresscms.svn.sourceforge.net/viewvc/impresscms/core/trunk/htdocs/libraries/htmlpurifier/HTMLPurifier.standalone.php?view=markup">3.1.1</a></td></tr>
209 <tr><td><a href=
"http://noserub.com/">NoseRub
</a></td><td><a href=
"http://code.google.com/p/noserub/source/browse/branches/development/vendors/htmlpurifier/HTMLPurifier.php">3.1.1</a></td></tr>
210 <tr><td><a href=
"http://code.google.com/p/jibberbook/">Jibberbook
</a></td><td><a href=
"http://jibberbook.googlecode.com/svn/trunk/source/libraries/htmlpurifier/HTMLPurifier.standalone.php">3.1.1</a></td></tr>
211 <tr><td><a href=
"http://brilaps.com/index.php?content=mia">Mia
</a></td><td><a href=
"http://code.google.com/p/mia-chat/source/browse/trunk/mia_0_8_x/includes/htmlpurifier/HTMLPurifier.php">3.1.1</a></td></tr>
212 <tr><td><a href=
"http://kohanaphp.com/home.html">Kohana
</a></td><td><a href=
"http://trac.kohanaphp.com/browser/trunk/system/vendor">3.1.1</a></td></tr>
213 <tr><td><a href=
"http://getlilina.org/">Lilina News Aggregator
</a></td><td><a href=
"http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">3.1.1</a></td></tr>
214 <tr><td><a href=
"http://www.midgard-project.org/">Midgard
</a></td><td>via PEAR
</td></tr>
215 <tr><td><a href=
"http://www.bitweaver.org/">BitWeaver
</a></td><td><a href=
"http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR
</a>, see
<a href=
"http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php
</a></td></tr>
216 <tr><td><a href=
"http://code.google.com/p/project-babel/issues/entry">Project Babel
</a></td><td>via PEAR and Midgard
</td></tr>
217 <tr><td><a href=
"http://code.google.com/p/php-atompub-server/">PHP Atompub Server
</a></td><td><a href=
"http://code.google.com/p/php-atompub-server/wiki/SanitizingInput">via download
</a></td></tr>
220 <p>If I've forgotten anyone, drop me a line with a link to both
221 your application and the use of HTML Purifier in your code repository,
222 and I'll add your application to this list.
</p>
225 <h3>Hall of Shame
</h3>
227 <p>The following projects package HTML Purifier with their software, but are
228 not up-to-date. They are putting their userbase at risk of security attacks
229 by not keeping HTML Purifier updated. If you're a user or developer for these projects, please
230 raise your voice and help to get them fixed!
</p>
233 <tr><td><!--<a href="http://code.google.com/p/wpids/">-->WPIDS
<!--</a>--></td><td><a href=
"http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
234 <tr><td>Lichen Webmail
</td><td><a href=
"http://trac.lichen-mail.org/browser/trunk/libs/HTMLPurifier.php">2.1.4</a>, see
<a href=
"https://trac.lichen-mail.org/ticket/79">ticket #
79</a></td></tr>
235 <tr><td><!--<a href="http://code.google.com/p/xoopsbrasil/">-->XOOPS Cube BRASIL
<!--</a>--></td><td><a href=
"http://code.google.com/p/xoopsbrasil/source/browse/xoops_trust_path/PEAR/HTMLPurifier.php">2.1.3</a></td></tr>
236 <tr><td>XDForum
</td><td><a href=
"http://xdforum.svn.sourceforge.net/viewvc/xdforum/trunk/xdforum/includes/htmlpurifier/library/HTMLPurifier.php?view=markup">1.3.2</a></td></tr>
239 <h2 id=
"Propaganda">Spread the Word!
</h2>
241 <p>Help spread awareness about HTML Purifier by:
</p>
245 href=
"http://del.icio.us/post?v=4&noui&url=http://htmlpurifier.org/&title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
246 id=
"delicious">Bookmarking this website
</a> on your
<strong>del.icio.us
</strong> account, and/or
</li>
248 <div>Including this little
<strong>label
</strong> on your website:
249 <a href=
"http://htmlpurifier.org/"><img
250 src=
"live/art/powered.png"
251 alt=
"Powered by HTML Purifier" border=
"0" /></a>, with this code:
253 <pre class=
"long"><a href=
"http://htmlpurifier.org/
"><img
254 src=
"http://htmlpurifier.org/live/art/powered.png
"
255 alt=
"Powered by HTML Purifier
" border=
"0" /
></a
></pre>