If you have ever used bbcode or any other non-html markup language in an attempt to avoid having to filter user-submitted HTML, those days are over. HTML Purifier is a standards-compliant html filter. This means that not only does it protect your website from security risks such as cross-site scripting attacks, but it also produces completely valid (x)html. It is also character-encoding aware. With this release, the author, Edward Z. Yang has decided to GoPHP5, so don’t expect to see this version released for PHP4 (The 2.1.x branch will be maintained until PHP 4 is completely deprecated, but no new features will be added to it.).
This release a number of improvements in CSS handling, including the filter HTMLPurifier_Filter_ExtractStyleBlocks which integrates HTML Purifier with CSSTidy for cleaning style sheets (see the source code file for more information on usage), contains experimental support for proprietary CSS properties with %CSS.Proprietary, case-insensitive CSS properties, and more lenient hexadecimal color codes. Also, all code has been upgraded to full PHP 5 and is E_STRICT clean for all versions of PHP 5 (including the 5.0 series, which previously had parse-time errors).
For more details about the release, check out HTML Purifier’s website.
Santosh Patnaik Says:
January 16th, 2008 at 8:37 pm
htmLawed is another PHP script like HTMLPurifier and it is PHP4-compatible. Also, it is small and not resource-intensive.
Luke Visinoni Says:
January 21st, 2008 at 2:30 pm
Due to our blog being hacked recently, we have decided to implement the HTML Purified plugin for our site. Although I have no idea if improperly sanitized html was responsible for the attack, it’s always a good idea to err on the safe side.
@Santosh - Interesting, I hadn’t heard of htmLawed. You might drop by the HTML Purifier website and let the author know about that library as well. He likes competition