HTML Purifier is PHP software for HTML filtering. It is an alternative to BBCode or other obscure custom markup languages. It will not only remove all malicious code (XSS), but will also make sure the HTML is standards compliant.
|Tags||Text Processing Markup HTML/XHTML Filters Software Development Libraries php classes|
|Operating Systems||OS Independent|
Release Notes: This is a major security release addressing various security vulnerabilities related to user-submitted code and legitimate client-side scripts. It also contains an accumulation of new features and bugfixes over half a year. New configuration options include %CSS.Trusted, %CSS.AllowedFonts, and %Cache.SerializerPermissions. There is a backwards-incompatible API change for customized raw definitions.
Release Notes: This is a minor release that implements a number of feature requests accumulated over half a year. New configuration options include %Core.RemoveProcessingInstructions, %CSS.ForbiddenProperties, %HTML.FlashAllowFullScreen, and %Core.NormalizeNewlines. Additionally, %URI.DisableResources is now functional and "file:" is an optionally supported URI scheme. There are also some minor bugfixes, usability improvements, and documentation updates.
Release Notes: This is a major security and bugfix release that improves on version 4.1's fix for an XSS vulnerability exploitable on Internet Explorer. It also contains a number of important bugfixes, including the removal of improper logic that could result in infinite loops and fixed parsing for single-attributes with entities with DirectLex.
Release Notes: This is a major security release that fixes an XSS vulnerability exploitable on Internet Explorer. It also contains a number of new features, including dramatically more flexible Flash support, including %Output.FlashCompat to replace %HTML.SafeEmbed, optional support for the data: URI scheme, and better HTML parsing capabilities.
Release Notes: This is a major feature release focused on configuration. It deprecates the $config->set('Ns', 'Directive', $value) syntax in favor of $config->set('Ns.Directive', $value). Both syntaxes work, but the former will throw errors. There are also some new features: robust support for name/id, configuration inheritance, removal of nbsp in the RemoveEmpty autoformatter, userland configuration directives, and configuration serialization.