symfony / html-sanitizer
Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.
Fund package maintenance!
fabpot
Tidelift
symfony.com/sponsor
Requires
- php: >=8.2
- ext-dom: *
- league/uri: ^6.5|^7.0
- masterminds/html5: ^2.7.2
- 7.2.x-dev
- v7.2.0-RC1
- v7.2.0-BETA1
- 7.1.x-dev
- v7.1.6
- v7.1.5
- v7.1.1
- v7.1.0
- v7.1.0-RC1
- v7.1.0-BETA1
- 7.0.x-dev
- v7.0.8
- v7.0.7
- v7.0.4
- v7.0.3
- v7.0.0
- v7.0.0-RC1
- v7.0.0-BETA2
- v7.0.0-BETA1
- 6.4.x-dev
- v6.4.13
- v6.4.12
- v6.4.8
- v6.4.7
- v6.4.4
- v6.4.3
- v6.4.0
- v6.4.0-RC1
- v6.4.0-BETA2
- v6.4.0-BETA1
- 6.3.x-dev
- v6.3.12
- v6.3.7
- v6.3.4
- v6.3.0
- v6.3.0-RC1
- v6.3.0-BETA1
- 6.2.x-dev
- v6.2.7
- v6.2.5
- v6.2.2
- v6.2.0
- v6.2.0-RC1
- v6.2.0-BETA1
- 6.1.x-dev
- v6.1.11
- v6.1.9
- v6.1.0
- v6.1.0-RC1
- v6.1.0-BETA2
- v6.1.0-BETA1
This package is auto-updated.
Last update: 2024-11-13 15:17:41 UTC
README
The HtmlSanitizer component provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.
Usage
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig; use Symfony\Component\HtmlSanitizer\HtmlSanitizer; // By default, an element not added to the allowed or blocked elements // will be dropped, including its children $config = (new HtmlSanitizerConfig()) // Allow "safe" elements and attributes. All scripts will be removed // as well as other dangerous behaviors like CSS injection ->allowSafeElements() // Allow all static elements and attributes from the W3C Sanitizer API // standard. All scripts will be removed but the output may still contain // other dangerous behaviors like CSS injection (click-jacking), CSS // expressions, ... ->allowStaticElements() // Allow the "div" element and no attribute can be on it ->allowElement('div') // Allow the "a" element, and the "title" attribute to be on it ->allowElement('a', ['title']) // Allow the "span" element, and any attribute from the Sanitizer API is allowed // (see https://wicg.github.io/sanitizer-api/#default-configuration) ->allowElement('span', '*') // Block the "section" element: this element will be removed but // its children will be retained ->blockElement('section') // Drop the "div" element: this element will be removed, including its children ->dropElement('div') // Allow the attribute "title" on the "div" element ->allowAttribute('title', ['div']) // Allow the attribute "data-custom-attr" on all currently allowed elements ->allowAttribute('data-custom-attr', '*') // Drop the "data-custom-attr" attribute from the "div" element: // this attribute will be removed ->dropAttribute('data-custom-attr', ['div']) // Drop the "data-custom-attr" attribute from all elements: // this attribute will be removed ->dropAttribute('data-custom-attr', '*') // Forcefully set the value of all "rel" attributes on "a" // elements to "noopener noreferrer" ->forceAttribute('a', 'rel', 'noopener noreferrer') // Transform all HTTP schemes to HTTPS ->forceHttpsUrls() // Configure which schemes are allowed in links (others will be dropped) ->allowLinkSchemes(['https', 'http', 'mailto']) // Configure which hosts are allowed in links (by default all are allowed) ->allowLinkHosts(['symfony.com', 'example.com']) // Allow relative URL in links (by default they are dropped) ->allowRelativeLinks() // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped) ->allowMediaSchemes(['https', 'http']) // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed) ->allowMediaHosts(['symfony.com', 'example.com']) // Allow relative URL in img/audio/video/iframe (by default they are dropped) ->allowRelativeMedias() // Configure a custom attribute sanitizer to apply custom sanitization logic // ($attributeSanitizer instance of AttributeSanitizerInterface) ->withAttributeSanitizer($attributeSanitizer) // Unregister a previously registered attribute sanitizer // ($attributeSanitizer instance of AttributeSanitizerInterface) ->withoutAttributeSanitizer($attributeSanitizer) ; $sanitizer = new HtmlSanitizer($config); // Sanitize a given string, using the configuration provided and in the // "body" context (tags only allowed in <head> will be removed) $sanitizer->sanitize($userInput); // Sanitize the given string for a usage in a <head> tag $sanitizer->sanitizeFor('head', $userInput); // Sanitize the given string for a usage in another tag $sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities $sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities $sanitizer->sanitizeFor('div', $userInput); // Will sanitize as body $sanitizer->sanitizeFor('section', $userInput); // Will sanitize as body // ...