Update xhtml-compiler to note have infinite loop with update.php force.
[htmlpurifier-web.git] / index.xhtml
blob57b4f72bce64e8213d5ba3732cf0c39d76b0e05b
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xmlns:xc="urn:xhtml-compiler"
8 xmlns:news="urn:xhtml-compiler:News"
9 xml:lang="en">
10 <head>
11 <title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
12 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
13 <meta name="description"
14 content="HTML filter that guards against XSS and ensures standards-compliant output." />
15 <meta name="keywords"
16 content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
17 <!-- See news.xhtml for definition -->
18 <link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
19 <script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
20 <!-- OpenID for Edward Z. Yang -->
21 <link rel="openid.server" href="https://pip.verisignlabs.com/server" />
22 <link rel="openid.delegate" href="http://edwardzyang.pip.verisignlabs.com/" />
23 <!-- Google OpenSearch -->
24 <link rel="search" href="opensearchdescription.xml"
25 type="application/opensearchdescription+xml"
26 title="HTML Purifier" />
27 </head>
28 <body>
30 <div id="branding">
31 <h1>
32 <span class="html">HTML</span>
33 <span class="purifier">Purifier</span>
34 </h1>
35 <blockquote>
36 <p>
37 Standards-Compliant HTML Filtering
38 </p>
39 </blockquote>
40 </div>
42 <xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />
44 <div id="content">
46 <div id="summary">
47 <h2>Summary</h2>
48 <div id="summary-safe">
49 <h3>Safe</h3>
50 <p>
51 HTML Purifier defeats XSS with an audited whitelist
52 </p>
53 </div>
54 <div id="summary-clean">
55 <h3>Clean</h3>
56 <p>
57 HTML Purifier ensures standards-compliant output
58 </p>
59 </div>
60 <div id="summary-open">
61 <h3>Open</h3>
62 <p>
63 HTML Purifier is open-source and highly customizable
64 </p>
65 </div>
66 </div>
68 <div id="intro">
69 <div class="warning" style="margin-left:0; margin-right:0;">
70 <strong>The most recent release is a security update.</strong> Please upgrade
71 to HTML Purifier 3.1.1 or 2.1.5 as soon as possible.
72 </div>
74 <p><strong>HTML Purifier</strong> is a standards-compliant
75 <abbr>HTML</abbr> filter library written in
76 <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious
77 code (better known as <abbr>XSS</abbr>) with a thoroughly audited,
78 secure <em>yet</em> permissive <strong><a
79 href="live/smoketests/printDefinition.php">whitelist</a></strong>,
80 it will also make sure your documents are
81 <strong>standards compliant</strong>, something only achievable with a
82 comprehensive knowledge of <abbr>W3C</abbr>'s specifications.
83 Tired of using BBCode due to the current landscape of deficient or
84 insecure <abbr>HTML</abbr> filters? Have a
85 <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking
86 for high-quality, standards-compliant, open-source components for that
87 application you're building? HTML Purifier is for you!</p>
89 <blockquote class="fancy">
90 <div class="quote">
91 I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
92 filtering emails against XSS attacks and we've been more than impressed.
93 </div>
94 <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
95 </blockquote>
97 <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
99 </div>
101 <div id="BackgroundContainer">
102 <h2 id="Background" class="clear">Background</h2>
104 <p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
105 there on the web already. What sets HTML Purifier apart from them?
106 Aren't all of these choices <q>secure</q>?</p>
108 <p>When it comes to <abbr>HTML</abbr>, <strong>attention to
109 detail</strong> is key. Does it perform its filtering off a
110 whitelist rather than an out-of-date blacklist? Does it filter every
111 attribute in the document? Does it actually understand <abbr>HTML</abbr>?</p>
113 <p><strong>Know thy enemy.</strong> Hackers have a huge arsenal of
114 <abbr>XSS</abbr> vectors hidden within the depths of the
115 <abbr>HTML</abbr> specification. HTML Purifier is
116 effective because it decomposes the whole document
117 into tokens and removing
118 non-whitelisted elements, checking the well-formedness and nesting of tags, and
119 validating all attributes according to their <abbr>RFC</abbr>s.
120 HTML Purifier's comprehensive algorithms are complemented by a
121 <strong>breadth of knowledge</strong>, ensuring that richly formatted
122 documents pass through unstripped.</p>
124 <p>To my knowledge, there is nothing else in the wild that offers
125 protection from <abbr>XSS</abbr>, standards-compliance, and
126 corrective processing of poorly formed <abbr>HTML</abbr>.
127 But don't take my word for it:
128 do your research and try out the <a href="demo.php">demo</a>.</p>
130 <p>To find out more, you can read the
131 <a href="comparison.html"><strong>Comparison</strong></a>
132 for a analysis of HTML Purifier and the other major filters.</p>
134 <blockquote class="fancy">
135 <div class="quote">
136 [Y]ou save my day by allowing me not to write another damned HTML parser.
137 </div>
138 <div class="origin">
139 &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
140 </div>
141 </blockquote>
142 </div>
144 <div id="NewsContainer">
145 <h2 id="News">Recent News</h2>
147 <div class="news" news:source="news" news:limit="1" news:header="h3" />
150 <a href="news.html">Read earlier news...</a>
151 </p>
152 </div>
154 <h2 id="Plugins" class="clear">Plugins</h2>
156 <p>HTML Purifier is a great library to integrate with existing
157 <abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
158 editors. Currently, we have plugins for these applications:</p>
160 <ul>
161 <li><a href="http://www.phorum.org/phorum5/read.php?62,127035">Phorum</a> (in use at our very own forums!)</li>
162 <li><a href="http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt">MODx</a></li>
163 <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
164 <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress</a> by John Godley</li>
165 <li><a href="http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla</a> by Double D</li>
166 <li><a href="http://www.mindloop.be/nieuws/nieuwe-ontwikkelingen/htmlpurifier-and-the-codeigniter-framework">CodeIgniter</a> by Andy Mathijs</li>
167 </ul>
170 HTML Purifier is also now in print! Martin Brampton's new book
171 <a href="http://packt.aliro.org/">PHP 5 CMS Framework Development</a>
172 includes a discussion of using HTML Purifier in your content management
173 system. Go check it out!
174 </p>
177 <strong>Notice:</strong>
178 Any plugin provided by a third party has not been vetted by us: use
179 them at your own risk. If you are having a problem with the plugin,
180 please consult the plugin author before asking for help here (we'll
181 be more than happy to help, but it might be a problem with the
182 plugin rather than HTML Purifier.)
183 </p>
185 <blockquote class="fancy">
186 <div class="quote">
187 This plugin is on top of my favorite list[.] I am going to heavily
188 depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
189 having pages that validate and are semantically sound.
190 </div>
191 <div class="origin">
192 &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
193 </div>
194 </blockquote>
196 <p>Plugins for other major applications gladly accepted!</p>
199 <h2 id="Users">Users</h2>
201 <p>Here are some open-source applications that use HTML Purifier:</p>
203 <table>
204 <tr><td><a href="http://www.aliro.org/">Aliro</a></td><td><a href="http://aliro-svn.cvsdude.com/aliro/trunk/extclasses/HTMLPurifier.php">3.1.0</a></td></tr>
205 <tr><td><a href="http://code.google.com/p/jibberbook/">Jibberbook</a></td><td><a href="http://jibberbook.googlecode.com/svn/trunk/source/htmlpurifier/HTMLPurifier.standalone.php">3.1.0</a></td></tr>
206 <tr><td><a href="http://brilaps.com/index.php?content=mia">Mia</a></td><td><a href="http://code.google.com/p/mia-chat/source/browse/trunk/mia_0_8_x/includes/htmlpurifier/HTMLPurifier.php">3.1.0</a></td></tr>
207 <tr><td><a href="http://kohanaphp.com/home.html">Kohana</a></td><td><a href="http://trac.kohanaphp.com/browser/trunk/system/vendor">3.1.0</a></td></tr>
208 <tr><td><a href="http://www.midgard-project.org/">Midgard</a></td><td>via PEAR</td></tr>
209 <tr><td><a href="http://www.bitweaver.org/">BitWeaver</a></td><td><a href="http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR</a>, see <a href="http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php</a></td></tr>
210 <tr><td><a href="http://code.google.com/p/project-babel/issues/entry">Project Babel</a></td><td>via PEAR and Midgard</td></tr>
211 <tr><td><a href="http://code.google.com/p/php-atompub-server/">PHP Atompub Server</a></td><td><a href="http://code.google.com/p/php-atompub-server/wiki/SanitizingInput">via download</a></td></tr>
212 </table>
214 <p>If I've forgotten anyone, drop me a line with a link to both
215 your application and the use of HTML Purifier in your code repository,
216 and I'll add your application to this list.</p>
218 <h3>Hall of Limbo: PHP4</h3>
220 <p>The following applications are using HTML Purifier 2.1, for PHP4 compatibility.
221 While this is fine, I would much rather they go PHP5!</p>
223 <table>
224 <tr><td>There are currently no applications using an up-to-date version of HTML Purifier 2.1.</td></tr>
225 </table>
228 <h3>Hall of the Past</h3>
230 <p>The following projects package HTML Purifier with their software, but are
231 not up-to-date. They are putting their userbase at risk of security attacks
232 by not keeping HTML Purifier updated. If you're a user or developer for these projects, please
233 raise your voice and help to get them fixed!</p>
235 <table>
236 <tr><td><!--<a href="http://code.google.com/p/wpids/">-->WPIDS<!--</a>--></td><td><a href="http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
237 <tr><td><!--<a href="http://noserub.com/">-->NoseRub<!--</a>--></td><td><a href="http://code.google.com/p/noserub/source/browse/trunk/vendors/htmlpurifier/HTMLPurifier.php">3.0.0</a></td></tr>
238 <tr><td><!--<a href="http://getlilina.org/">-->Lilina News Aggregator<!--</a>--></td><td><a href="http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">2.1.3</a></td></tr>
239 <tr><td><!--<a href="http://info.tikiwiki.org/tiki-index.php">-->TikiWiki<!--</a>--></td><td><a href="http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/branches/1.10/lib/HTMLPurifier.php?view=markup">2.1.3</a></td></tr>
240 <tr><td><!--<a href="http://code.google.com/p/xoopsbrasil/">-->XOOPS Cube BRASIL<!--</a>--></td><td><a href="http://code.google.com/p/xoopsbrasil/source/browse/xoops_trust_path/PEAR/HTMLPurifier.php">2.1.3</a></td></tr>
241 <tr><td>Lichen Webmail</td><td><a href="http://trac.lichen-mail.org/browser/trunk/libs/HTMLPurifier.php">2.0.1</a>, see <a href="https://trac.lichen-mail.org/ticket/79">ticket #79</a></td></tr>
242 <tr><td>PHProjekt</td><td><a href="http://thinkforge.org/plugins/scmcvs/cvsweb.php/phprojekt50/lib/html/library/HTMLPurifier.php?rev=HEAD;content-type=text%2Fplain;cvsroot=phprojekt5">1.6.0</a></td></tr>
243 <tr><td>XDForum</td><td><a href="http://xdforum.svn.sourceforge.net/viewvc/xdforum/trunk/xdforum/includes/htmlpurifier/library/HTMLPurifier.php?view=markup">1.3.2</a></td></tr>
244 </table>
246 <h2 id="Propaganda">Spread the Word!</h2>
248 <p>Help spread awareness about HTML Purifier by:</p>
250 <ul>
251 <li><a
252 href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
253 id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
254 <li>
255 <div>Including this little <strong>label</strong> on your website:
256 <a href="http://htmlpurifier.org/"><img
257 src="live/art/powered.png"
258 alt="Powered by HTML Purifier" border="0" /></a>, with this code:
259 </div>
260 <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
261 src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
262 alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
263 </li>
264 </ul>
266 </div>
268 </body>
269 </html>