Secure PHP HTML parser and filter is a PHP package that can be used to parse and filter out insecure HTML tags and CSS styles. It comes with a general purpose markup parser class that can parse any type of markup documents similar to HTML, XML, and DTD files. It also includes several other classes that can be chained together to retrieve the document token elements returned by the main markup parser class and filter the document elements in a useful way. The markup validator filter class validates a document against a DTD, eventually removing invalid tags and attributes. The safe HTML filter class uses several white lists to process HTML tags and data returned by the markup validator class and discards potentially harmful HTML tags and CSS that could be used to perform cross-site scripting (XSS) or cross-site request forgery (CSRF) security attacks. The filtered HTML tokens can be reassembled to return a well-formed and secure HTML document. The HTML links filter class can extract the links contained in an HTML document. The DTD parser and CSS parser are utility classes used by the other classes.
|Tags||Security HTML xss CSRF|
|Operating Systems||OS Independent|
|Implementation||PHP 4 PHP 5|
Release Notes: This release adds a filter class that can add the "nofollow" attribute to external links. The secure filter can now filter unsafe CSS stylesheets. The CSS parser now supports important styles, IE CSS hacks, and CSS style selectors. Several bugs were fixed. Documentation for several parser and filter classes was added.
Release Notes: A bug in the safe URL checking was fixed. The DTD parser was improved to handle the XHTML 1.1 DTD.
Release Notes: This release adds a script to test the CSS parser class. It can parse values with Unicode characters. The safe HTML filter class can now process stylesheets with character entities. The detection of unsafe URLs that contain characters with low codes in the middle of the scheme was fixed. Several new test cases were added. The handling of malformed comments and several other bugs were fixed. Support for parsing XHTML DTD was improved.