HTML Purifier is an open source standards-compliant HTML filter library developed using PHP.
HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Looking for high-quality, standards-compliant, open-source components for that application you're building? Have a WYSIWYG editor but never been able to use it?
HTML Purifier is for you!
What's New in This Release: [ read full changelog ]
· Added %Core.RemoveProcessingInstructions, which lets you remove statements.
· Added %URI.DisableResources functionality; the directive originally did nothing. Thanks David Rothstein for reporting.
· Add documentation about configuration directive types.
· Add %CSS.ForbiddenProperties configuration directive.
· Add %HTML.FlashAllowFullScreen to permit embedded Flash objects to utilize full-screen mode.
· Add optional support for the file URI scheme, enable by explicitly setting %URI.AllowedSchemes.
· Add %Core.NormalizeNewlines options to allow turning off newline normalization.
· Fix improper handling of Internet Explorer conditional comments by parser. Thanks zmonteca for reporting.
· Fix missing attributes bug when running on Mac Snow Leopard and APC. Thanks sidepodcast for the fix.
· Warn if an element is allowed, but an attribute it requires is not allowed.