PHPackages liquidedge-app/htmlsanitizer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. liquidedge-app/htmlsanitizer ActiveLibrary[Validation & Sanitization](/categories/validation) liquidedge-app/htmlsanitizer ============================ Client-side HTML Sanitizer 1.0.3(2y ago)0170HTML Since May 9Pushed 2y agoCompare [ Source](https://github.com/ryno-liquidedge/HtmlSanitizer)[ Packagist](https://packagist.org/packages/liquidedge-app/htmlsanitizer)[ RSS](/packages/liquidedge-app-htmlsanitizer/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (3)DependenciesVersions (5)Used By (0) JS Html Sanitizer ================= [](#js-html-sanitizer) Client-side HTML Sanitizer (front-end only, i.e. "needs a browser", won't work in `Node`) to prevent XSS and unwanted tags in UGC. - Very fast (8000 ops/sec) - Very small (1.7kb *unminified!*) - Zero dependency, vanilla JS, works even in IE (duh) > Please note: to prevent XSS attacks you should always sanitize input **on the server too**. *Never trust the client!* ### Install [](#install) ``` ``` or ``` ``` or ``` npm install @jitbit/htmlsanitizer ``` (simply puts the script into `/node_modules`) ### Usage: [](#usage) ``` var html; //run with default settings html = HtmlSanitizer.SanitizeHtml("alert('xss!');"); //returns ""; html = HtmlSanitizer.SanitizeHtml(""); //returns ""; html = HtmlSanitizer.SanitizeHtml(""); //returns ""; //permanently allow a tag for all future invocations HtmlSanitizer.AllowedTags['FORM'] = true; html = HtmlSanitizer.SanitizeHtml(""); //returns ""; //allow somthing only once by specifying a selector html = HtmlSanitizer.SanitizeHtml("", "input[type=checkbox]"); //returns ""; ``` The sanitizer uses [whitelisting](https://en.wikipedia.org/wiki/Whitelisting) approach (as opposed to "blacklisting") to clean out everything that's not allowed. Speed & Benchmarks ---------------------- [](#speed--benchmarks) It uses browser/DOM to parse the html by using `DOMParser` object (hence the browser "front-end only" requirement) which makes it **much faster** than "pure JavaScript" sanitizers. Tested on `https://www.bbc.co.uk` homepage - the page is sanitized **~370 times per second** on an i5 core CPU in Firefox Quantum (tested via `benchmark.js`) Comparing HtmlSanitizer vs DOMPurify benchmark: ``` starting benchmark... HtmlSanitizer x 8,048 ops/sec ±3.37% (44 runs sampled) DOMPurify x 5,195 ops/sec ±3.30% (57 runs sampled) Fastest is HtmlSanitizer ``` Tags allowed by default ----------------------- [](#tags-allowed-by-default) `a, abbr, b, blockquote, body, br, center, code, div, em, font, h1, h2, h3, h4, h5, h6, hr, i, img, label, li, ol, p, pre, small, source, span, strong, table, tbody, tr, td, th, thead, ul, u, video` Attributes allowed by default ----------------------------- [](#attributes-allowed-by-default) `align, color, controls, height, href, src, style, target, title, type, width` CSS styles allowed by default ----------------------------- [](#css-styles-allowed-by-default) `color, background-color, font-size, text-align, text-decoration, font-weight` Schemas allowed by default -------------------------- [](#schemas-allowed-by-default) `http:, https:, data:, m-files:, file:, ftp:, mailto:, pw:` (allowed in 'src', 'href' and similar "uri-attributes". To clean up stuff like ``) Configuring ----------- [](#configuring) Allowed tags, attributes, schemas and styles are listed in `AllowedTags`, `AllowedAttributes`, `AllowedSchemas` and `AllowedCssStyles` public properties. To disallow a tag remove it from the dictionary like this: ``` delete HtmlSanitizer.AllowedTags['TABLE']; //mind the uppercase ``` To add an allowed tag globally: ``` HtmlSanitizer.AllowedTags['SCRIPT'] = true; //mind the uppercase ``` To allow an extra tag only once during invocation - specify extra selector to allow in the second parameter ``` var html = HtmlSanitizer.SanitizeHtml("", "input[type=checkbox]"); ``` Browser support --------------- [](#browser-support) Supported by all major browsers, IE10 and higher. BUT WHY? -------- [](#but-why) > Why create a front-end HTML sanitizer if the input has to be sanitized on the server anyway? Users often copy-paste awful HTML generated by MS Word, MS Outlook or Apple Mail that needs a clean-up. Or you need to remove excessive formatting in an WYSIWYG editor. Or you need to display an (ugly) email message in a (beatuful) mobile app. Or (my favorite) you simply need to ease the load in the server-side sanitizer. And many many other use-cases. © [Jitbit](https://www.jitbit.com/) ### Health Score 22 — LowBetter than 22% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity10 Limited adoption so far Community8 Small or concentrated contributor base Maturity44 Maturing project, gaining track record Bus Factor1 Top contributor holds 97.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 4 Last Release 731d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/abdefd19bc827b3f998529fe0d6354e7851343db472511097979847b8c650936?d=identicon)[ryno-liquidedge](/maintainers/ryno-liquidedge) --- Top Contributors [![alex-jitbit](https://avatars.githubusercontent.com/u/33555768?v=4)](https://github.com/alex-jitbit "alex-jitbit (79 commits)")[![ryno-liquidedge](https://avatars.githubusercontent.com/u/126059897?v=4)](https://github.com/ryno-liquidedge "ryno-liquidedge (2 commits)") ### Embed Badge ![Health badge](/badges/liquidedge-app-htmlsanitizer/health.svg) ``` [![Health](https://phpackages.com/badges/liquidedge-app-htmlsanitizer/health.svg)](https://phpackages.com/packages/liquidedge-app-htmlsanitizer) ``` ### Alternatives [webmozart/assert Assertions to validate method input/output with nice error messages. 7.6k894.0M1.2k](/packages/webmozart-assert)[bensampo/laravel-enum Simple, extensible and powerful enumeration implementation for Laravel. 2.0k15.9M105](/packages/bensampo-laravel-enum)[swaggest/json-schema High definition PHP structures with JSON-schema based validation 48612.5M73](/packages/swaggest-json-schema)[stevebauman/purify An HTML Purifier / Sanitizer for Laravel 5325.6M19](/packages/stevebauman-purify)[ashallendesign/laravel-config-validator A package for validating your Laravel app's config. 217905.3k5](/packages/ashallendesign-laravel-config-validator)[crazybooot/base64-validation Laravel validators for base64 encoded files 1341.9M8](/packages/crazybooot-base64-validation) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)