Safe
HTML Purifier defeats XSS attacks with an audited whitelist
Clean
HTML Purifier ensures standards-compliant output
Open
HTML Purifier is open-source and highly customizable
HTML Purifier is a standards-compliant
HTML filter library written in
PHP. HTML Purifier will not only remove all malicious
code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist,
it will also make sure your documents are
standards compliant, something only achievable with a
comprehensive knowledge of W3C's specifications.
Tired of using BBCode due to the current landscape of deficient or
insecure HTML filters? Have a
WYSIWYG editor but never been able to use it? Looking
for high-quality, standards-compliant, open-source components for that
application you're building? HTML Purifier is for you!
I'd just like to say we use HTML Purifier in IRIS for filtering emails against XSS attacks and we've been more than impressed.— Chris Corbyn, Senior IRIS Developer
Download
HTML Purifier 4.6.0 (.zip)
Full, PHP 5 only
HTML Purifier 4.6.0 (.tar.gz)
Full, PHP 5 only
Background
There are a number of open-source HTML filtering solutions out
there on the web already. What sets HTML Purifier apart from them?
Aren't all of these choices “secure”?
When it comes to HTML, attention to
detail is key. Does it perform its filtering off a
whitelist rather than an out-of-date blacklist? Does it filter every
attribute in the document? Does it actually understand HTML?Know thy enemy. Hackers have a huge arsenal of XSS vectors hidden within the depths of the HTML specification. HTML Purifier is effective because it decomposes the whole document into tokens and removing non-whitelisted elements, checking the well-formedness and nesting of tags, and validating all attributes according to their RFCs. HTML Purifier's comprehensive algorithms are complemented by a breadth of knowledge, ensuring that richly formatted documents pass through unstripped.
To my knowledge, there is nothing else in the wild that offers protection from XSS, standards-compliance, and corrective processing of poorly formed HTML. HTML Purifier is not perfect; it can interact poorly with existing JavaScript on websites, which can introduces vulnerabilities after the fact. However, it is pretty damn good. Do your research and try out the demo.
To find out more, you can read the Comparison for a analysis of HTML Purifier and the other major filters. Or you can chat with other HTML Purifier users on our mailing list and our forum.
from http://htmlpurifier.org/