Projects / HTML Purifier

HTML Purifier

HTML Purifier is PHP software for HTML filtering. It is an alternative to BBCode or other obscure custom markup languages. It will not only remove all malicious code (XSS), but will also make sure the HTML is standards compliant.

Tags
Licenses
Operating Systems
Implementation
Translations

Recent releases

  •  27 Mar 2011 23:02

    Release Notes: This is a major security release addressing various security vulnerabilities related to user-submitted code and legitimate client-side scripts. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %CSS.Trusted, %CSS.AllowedFonts, and %Cache.SerializerPermissions. There is a backwards-incompatible API change for customized raw definitions.

    •  15 Sep 2010 08:26

      Release Notes: This is a minor release that implements a number of feature requests accumulated over half a year. New configuration options include %Core.RemoveProcessingInstructions, %CSS.ForbiddenProperties, %HTML.FlashAllowFullScreen, and %Core.NormalizeNewlines. Additionally, %URI.DisableResources is now functional and "file:" is an optionally supported URI scheme. There are also some minor bugfixes, usability improvements, and documentation updates.

      •  01 Jun 2010 04:09

        Release Notes: This is a major security and bugfix release that improves on version 4.1's fix for an XSS vulnerability exploitable on Internet Explorer. It also contains a number of important bugfixes, including the removal of improper logic that could result in infinite loops and fixed parsing for single-attributes with entities with DirectLex.

        •  26 Apr 2010 23:01

          Release Notes: This is a major security release that fixes an XSS vulnerability exploitable on Internet Explorer. It also contains a number of new features, including dramatically more flexible Flash support, including %Output.FlashCompat to replace %HTML.SafeEmbed, optional support for the data: URI scheme, and better HTML parsing capabilities.

          •  09 Jul 2009 01:57

            Release Notes: This is a major feature release focused on configuration. It deprecates the $config->set('Ns', 'Directive', $value) syntax in favor of $config->set('Ns.Directive', $value). Both syntaxes work, but the former will throw errors. There are also some new features: robust support for name/id, configuration inheritance, removal of nbsp in the RemoveEmpty autoformatter, userland configuration directives, and configuration serialization.

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.