1 <?xml version=
"1.0" encoding=
"UTF-8"?>
2 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
5 xmlns=
"http://www.w3.org/1999/xhtml"
6 xmlns:
xi=
"http://www.w3.org/2001/XInclude"
7 xmlns:
xc=
"urn:xhtml-compiler"
8 xmlns:
news=
"urn:xhtml-compiler:News"
11 <title>HTML Purifier - Filter your HTML the standards-compliant way!
</title>
12 <xi:include href=
"common-meta.xml" xpointer=
"xpointer(/*/node())" />
13 <meta name=
"description"
14 content=
"HTML filter that guards against XSS and ensures standards-compliant output." />
16 content=
"HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
17 <!-- See news.xhtml for definition -->
18 <link rel=
"alternate" type=
"application/rss+xml" title=
"News - HTML Purifier" href=
"news.rss" />
19 <script defer=
"defer" type=
"text/javascript" src=
"del.icio.us.js" xc:
absolute=
"src"></script>
20 <!-- OpenID for Edward Z. Yang -->
21 <link rel=
"openid.server" href=
"https://pip.verisignlabs.com/server" />
22 <link rel=
"openid.delegate" href=
"http://edwardzyang.pip.verisignlabs.com/" />
23 <!-- Google OpenSearch -->
24 <link rel=
"search" href=
"opensearchdescription.xml"
25 type=
"application/opensearchdescription+xml"
26 title=
"HTML Purifier" />
32 <span class=
"html">HTML
</span>
33 <span class=
"purifier">Purifier
</span>
37 Standards-Compliant HTML Filtering
42 <xi:include href=
"common-navigation.xml" xpointer=
"xpointer(/*/node())" />
48 <div id=
"summary-safe">
51 HTML Purifier defeats XSS with an audited whitelist
54 <div id=
"summary-clean">
57 HTML Purifier ensures standards-compliant output
60 <div id=
"summary-open">
63 HTML Purifier is open-source and highly customizable
69 <div class=
"warning" style=
"margin-left:0; margin-right:0;">
70 <strong>The most recent release is a security update.
</strong> Please upgrade
71 to HTML Purifier
3.1.1 or
2.1.5 as soon as possible.
74 <p><strong>HTML Purifier
</strong> is a standards-compliant
75 <abbr>HTML
</abbr> filter library written in
76 <abbr>PHP
</abbr>. HTML Purifier will not only remove all malicious
77 code (better known as
<abbr>XSS
</abbr>) with a thoroughly audited,
78 secure
<em>yet
</em> permissive
<strong><a
79 href=
"live/smoketests/printDefinition.php">whitelist
</a></strong>,
80 it will also make sure your documents are
81 <strong>standards compliant
</strong>, something only achievable with a
82 comprehensive knowledge of
<abbr>W3C
</abbr>'s specifications.
83 Tired of using BBCode due to the current landscape of deficient or
84 insecure
<abbr>HTML
</abbr> filters? Have a
85 <strong><acronym>WYSIWYG
</acronym></strong> editor but never been able to use it? Looking
86 for high-quality, standards-compliant, open-source components for that
87 application you're building? HTML Purifier is for you!
</p>
89 <blockquote class=
"fancy">
91 I'd just like to say we use HTML Purifier in
<a href=
"http://www.iris.ac/">IRIS
</a> for
92 filtering emails against XSS attacks and we've been more than impressed.
94 <div class=
"origin">— Chris Corbyn,
<em>Senior IRIS Developer
</em></div>
97 <xi:include href=
"download-box.xml" xpointer=
"xpointer(/*/node())" />
101 <div id=
"BackgroundContainer">
102 <h2 id=
"Background" class=
"clear">Background
</h2>
104 <p>There are a number of open-source
<abbr>HTML
</abbr> filtering solutions out
105 there on the web already. What sets HTML Purifier apart from them?
106 Aren't all of these choices
<q>secure
</q>?
</p>
108 <p>When it comes to
<abbr>HTML
</abbr>,
<strong>attention to
109 detail
</strong> is key. Does it perform its filtering off a
110 whitelist rather than an out-of-date blacklist? Does it filter every
111 attribute in the document? Does it actually understand
<abbr>HTML
</abbr>?
</p>
113 <p><strong>Know thy enemy.
</strong> Hackers have a huge arsenal of
114 <abbr>XSS
</abbr> vectors hidden within the depths of the
115 <abbr>HTML
</abbr> specification. HTML Purifier is
116 effective because it decomposes the whole document
117 into tokens and removing
118 non-whitelisted elements, checking the well-formedness and nesting of tags, and
119 validating all attributes according to their
<abbr>RFC
</abbr>s.
120 HTML Purifier's comprehensive algorithms are complemented by a
121 <strong>breadth of knowledge
</strong>, ensuring that richly formatted
122 documents pass through unstripped.
</p>
124 <p>To my knowledge, there is nothing else in the wild that offers
125 protection from
<abbr>XSS
</abbr>, standards-compliance, and
126 corrective processing of poorly formed
<abbr>HTML
</abbr>.
127 But don't take my word for it:
128 do your research and try out the
<a href=
"demo.php">demo
</a>.
</p>
130 <p>To find out more, you can read the
131 <a href=
"comparison.html"><strong>Comparison
</strong></a>
132 for a analysis of HTML Purifier and the other major filters.
</p>
134 <blockquote class=
"fancy">
136 [Y]ou save my day by allowing me not to write another damned HTML parser.
139 — Joseph Halter,
<em>Technical Director at Akira Web
</em>
144 <div id=
"NewsContainer">
145 <h2 id=
"News">Recent News
</h2>
147 <div class=
"news" news:
source=
"news" news:
limit=
"1" news:
header=
"h3" />
150 <a href=
"news.html">Read earlier news...
</a>
154 <h2 id=
"Plugins" class=
"clear">Plugins
</h2>
156 <p>HTML Purifier is a great library to integrate with existing
157 <abbr>CMS
</abbr>es and other applications or
<acronym>WYSIWYG
</acronym>
158 editors. Currently, we have plugins for these applications:
</p>
161 <li><a href=
"http://www.phorum.org/phorum5/read.php?62,127035">Phorum
</a> (in use at our very own forums!)
</li>
162 <li><a href=
"http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt">MODx
</a></li>
163 <li><a href=
"http://bart.motd.be/projects/html-purifier-drupal-module">Drupal
</a> by Bart Jansens
</li>
164 <li><a href=
"http://urbangiraffe.com/plugins/html-purified/">Wordpress
</a> by John Godley
</li>
165 <li><a href=
"http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla
</a> by Double D
</li>
166 <li><a href=
"http://www.mindloop.be/nieuws/nieuwe-ontwikkelingen/htmlpurifier-and-the-codeigniter-framework">CodeIgniter
</a> by Andy Mathijs
</li>
170 HTML Purifier is also now in print! Martin Brampton's new book
171 <a href=
"http://packt.aliro.org/">PHP
5 CMS Framework Development
</a>
172 includes a discussion of using HTML Purifier in your content management
173 system. Go check it out!
177 <strong>Notice:
</strong>
178 Any plugin provided by a third party has not been vetted by us: use
179 them at your own risk. If you are having a problem with the plugin,
180 please consult the plugin author before asking for help here (we'll
181 be more than happy to help, but it might be a problem with the
182 plugin rather than HTML Purifier.)
185 <blockquote class=
"fancy">
187 This plugin is on top of my favorite list[.] I am going to heavily
188 depend on it since my clients insist on having
<acronym>WYSIWYG
</acronym> and I insist on
189 having pages that validate and are semantically sound.
192 — David Molliere,
<em>MODx Marketing
& Design Team
</em>
196 <p>Plugins for other major applications gladly accepted!
</p>
199 <h2 id=
"Users">Users
</h2>
201 <p>Here are some open-source applications that use HTML Purifier:
</p>
204 <tr><td><a href=
"http://www.aliro.org/">Aliro
</a></td><td><a href=
"http://aliro-svn.cvsdude.com/aliro/trunk/extclasses/HTMLPurifier.php">3.1.0</a></td></tr>
205 <tr><td><a href=
"http://code.google.com/p/jibberbook/">Jibberbook
</a></td><td><a href=
"http://jibberbook.googlecode.com/svn/trunk/source/htmlpurifier/HTMLPurifier.standalone.php">3.1.0</a></td></tr>
206 <tr><td><a href=
"http://brilaps.com/index.php?content=mia">Mia
</a></td><td><a href=
"http://code.google.com/p/mia-chat/source/browse/trunk/mia_0_8_x/includes/htmlpurifier/HTMLPurifier.php">3.1.0</a></td></tr>
207 <tr><td><a href=
"http://kohanaphp.com/home.html">Kohana
</a></td><td><a href=
"http://trac.kohanaphp.com/browser/trunk/system/vendor">3.1.0</a></td></tr>
208 <tr><td><a href=
"http://www.midgard-project.org/">Midgard
</a></td><td>via PEAR
</td></tr>
209 <tr><td><a href=
"http://www.bitweaver.org/">BitWeaver
</a></td><td><a href=
"http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR
</a>, see
<a href=
"http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php
</a></td></tr>
210 <tr><td><a href=
"http://code.google.com/p/project-babel/issues/entry">Project Babel
</a></td><td>via PEAR and Midgard
</td></tr>
211 <tr><td><a href=
"http://code.google.com/p/php-atompub-server/">PHP Atompub Server
</a></td><td><a href=
"http://code.google.com/p/php-atompub-server/wiki/SanitizingInput">via download
</a></td></tr>
214 <p>If I've forgotten anyone, drop me a line with a link to both
215 your application and the use of HTML Purifier in your code repository,
216 and I'll add your application to this list.
</p>
218 <h3>Hall of Limbo: PHP4
</h3>
220 <p>The following applications are using HTML Purifier
2.1, for PHP4 compatibility.
221 While this is fine, I would much rather they go PHP5!
</p>
224 <tr><td>There are currently no applications using an up-to-date version of HTML Purifier
2.1.
</td></tr>
228 <h3>Hall of the Past
</h3>
230 <p>The following projects package HTML Purifier with their software, but are
231 not up-to-date. They are putting their userbase at risk of security attacks
232 by not keeping HTML Purifier updated. If you're a user or developer for these projects, please
233 raise your voice and help to get them fixed!
</p>
236 <tr><td><!--<a href="http://code.google.com/p/wpids/">-->WPIDS
<!--</a>--></td><td><a href=
"http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
237 <tr><td><!--<a href="http://noserub.com/">-->NoseRub
<!--</a>--></td><td><a href=
"http://code.google.com/p/noserub/source/browse/trunk/vendors/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
238 <tr><td><!--<a href="http://getlilina.org/">-->Lilina News Aggregator
<!--</a>--></td><td><a href=
"http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">2.1.3</a></td></tr>
239 <tr><td><!--<a href="http://info.tikiwiki.org/tiki-index.php">-->TikiWiki
<!--</a>--></td><td><a href=
"http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/branches/1.10/lib/HTMLPurifier.php?view=markup">2.1.3</a></td></tr>
240 <tr><td><!--<a href="http://code.google.com/p/xoopsbrasil/">-->XOOPS Cube BRASIL
<!--</a>--></td><td><a href=
"http://code.google.com/p/xoopsbrasil/source/browse/xoops_trust_path/PEAR/HTMLPurifier.php">2.1.3</a></td></tr>
241 <tr><td>Lichen Webmail
</td><td><a href=
"http://trac.lichen-mail.org/browser/trunk/libs/HTMLPurifier.php">2.0.1</a>, see
<a href=
"https://trac.lichen-mail.org/ticket/79">ticket #
79</a></td></tr>
242 <tr><td>PHProjekt
</td><td><a href=
"http://thinkforge.org/plugins/scmcvs/cvsweb.php/phprojekt50/lib/html/library/HTMLPurifier.php?rev=HEAD;content-type=text%2Fplain;cvsroot=phprojekt5">1.6.0</a></td></tr>
243 <tr><td>XDForum
</td><td><a href=
"http://xdforum.svn.sourceforge.net/viewvc/xdforum/trunk/xdforum/includes/htmlpurifier/library/HTMLPurifier.php?view=markup">1.3.2</a></td></tr>
246 <h2 id=
"Propaganda">Spread the Word!
</h2>
248 <p>Help spread awareness about HTML Purifier by:
</p>
252 href=
"http://del.icio.us/post?v=4&noui&url=http://htmlpurifier.org/&title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
253 id=
"delicious">Bookmarking this website
</a> on your
<strong>del.icio.us
</strong> account, and/or
</li>
255 <div>Including this little
<strong>label
</strong> on your website:
256 <a href=
"http://htmlpurifier.org/"><img
257 src=
"live/art/powered.png"
258 alt=
"Powered by HTML Purifier" border=
"0" /></a>, with this code:
260 <pre class=
"long"><a href=
"http://htmlpurifier.org/
"><img
261 src=
"http://htmlpurifier.org/live/art/powered.png
"
262 alt=
"Powered by HTML Purifier
" border=
"0" /
></a
></pre>