Monday, January 14th, 2008
HTML Purifier 3.0
Category: Library, PHP
, Security
What is HTML Purifier?
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.
What’s new in 3.0?
Release 3.0.0 is the first release of 2008 and also HTML Purifier’s first
PHP 5 only release.
The 2.1 series will still
be supported for bug and security fixes,
but will not get new features. This release a number of
improvements in CSS handling, including the filter
HTMLPurifier_Filter_ExtractStyleBlockswhich integrates
HTML Purifier with
CSSTidy for cleaning style sheets
(see the source code file for more information on usage), contains
experimental support for
proprietary CSS properties with %CSS.Proprietary, case-insensitive
CSS properties, and more lenient hexadecimal color codes. Also, all code
has been upgraded to full PHP 5 and is
E_STRICTclean for all versions of PHP 5 (including the
5.0 series, which previously had parse-time errors).
You can run a live demo to see it at work.
Related Content:
Why would one choose this over the PHP integrated HTML Tidy Library?
( and strip_tags() ofcourse )
Check out the comparison page. In general, HTML Tidy isn’t meant to remove malicious code, and strip_tags is ineffective against attributes.