README

PHP XSS sanitizer tool for HTML

Disclaimer

Use HTML Purifier.

This library was created to try to solve the problem of XSS sanitization without using a permissive list, since the HTML which is being sanitized may contain non-standard or unusual syntax (e.g. HTML for emails).

This library is also intended for a limited use case whereby it is assumed that the sanitized HTML is only going to be displayed in a limited set of supported browsers (e.g. no need to strip 'vbscript:' code).

Install

Via Composer

$ composer require phlib/xss-sanitizer

Usage

Create a sanitizer and sanitize some input:

$sanitizer = new \Phlib\XssSanitizer\Sanitizer();
$sanitized = $sanitizer->sanitize($htmlInput);

Optionally, extra tags and/or attributes can be specified to be removed, in addition to the defaults:

$removeBlocks = ['xss'];
$removeAttributes = ['onwebkittransitionend'];
$sanitizer = new \Phlib\XssSanitizer\Sanitizer($removeBlocks, $removeAttributes);
$sanitized = $sanitizer->sanitize($htmlInput);

Supported Browsers

This library is intended to prevent XSS vulnerabilities when the resulting HTML is rendered by any of the following browsers:

• Chrome (40+)
• Firefox (40+)
• Safari (8+)
• IE (10, 11)
• Edge

License

This package is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/.