Monday, January 14th, 2008

HTML Purifier 3.0

Category: Library, PHP, Security

HTML Purifier 3.0 has been released.

What is HTML Purifier?

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.

What’s new in 3.0?

Release 3.0.0 is the first release of 2008 and also HTML Purifier’s first
PHP 5 only release.
The 2.1 series will still
be supported for bug and security fixes,
but will not get new features. This release a number of
improvements in CSS handling, including the filter
HTMLPurifier_Filter_ExtractStyleBlocks which integrates
HTML Purifier with
CSSTidy for cleaning style sheets
(see the source code file for more information on usage), contains
experimental support for
proprietary CSS properties with %CSS.Proprietary, case-insensitive
CSS properties, and more lenient hexadecimal color codes. Also, all code
has been upgraded to full PHP 5 and is
E_STRICT clean for all versions of PHP 5 (including the
5.0 series, which previously had parse-time errors).

You can run a live demo to see it at work.

Posted by Dion Almaer at 6:08 am

3.8 rating from 30 votes


Comments feed TrackBack URI

Why would one choose this over the PHP integrated HTML Tidy Library?

Comment by SchizoDuckie — January 14, 2008

( and strip_tags() ofcourse )

Comment by SchizoDuckie — January 14, 2008

Check out the comparison page. In general, HTML Tidy isn’t meant to remove malicious code, and strip_tags is ineffective against attributes.

Comment by AmbushCommander — January 14, 2008

Leave a comment

You must be logged in to post a comment.