PHPackages mirazmac/html-sanitizer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. mirazmac/html-sanitizer ActiveLibrary[Validation & Sanitization](/categories/validation) mirazmac/html-sanitizer ======================= A lightweight library to make sanitizing HTML easier on PHP. 1.0.0(4y ago)738MITPHPPHP >=7.0 Since Oct 17Pushed 4y ago1 watchersCompare [ Source](https://github.com/MirazMac/html-sanitizer)[ Packagist](https://packagist.org/packages/mirazmac/html-sanitizer)[ Docs](https://mirazmac.com)[ RSS](/packages/mirazmac-html-sanitizer/feed)WikiDiscussions main Synced 3w ago READMEChangelog (1)Dependencies (1)Versions (3)Used By (0) [![PHP Requirements Checker](https://user-images.githubusercontent.com/13865787/130739385-da8a7794-af57-49a9-b534-b6414890ec48.png)](https://user-images.githubusercontent.com/13865787/130739385-da8a7794-af57-49a9-b534-b6414890ec48.png) HTMLSanitizer ============= [](#htmlsanitizer) A super lightweight PHP library to sanitize HTML string against a whitelist. It has all the features an HTML sanitizer should have, including tag based whitelisting, allowing custom tags and attributes and even the ability of treating custom attributes as Boolean or URL. Prologue ======== [](#prologue) Almost every PHP app needs to sanitize HTML once in a while. Whether it is a simple comment or a full blown WYSIWYG editor output. It's crucial to ensure only HTML that you allow gets through. There are tons of HTML sanitizer library out there for PHP. Now don't get me wrong, but most of them are.. bloated. And I get it, since they need to ensure the absolute security for the users it can get pretty complicated. But most of us don't need that sort of functionalities. Now, `HtmlSanitizer` doesn't concern itself with validating, or fixing the HTML at all. It treats HTML as is. Matches it against a defined `WhiteList` of HTML tags and attributes and escapes them where necessary. In addition to this, it also allows you to define types for these attributes. Currently the supported ones are URL and Boolean. Also you can define allowed hosts for a specific tag, for example you may wish to allow only youtube.com URLs on an iframe, that can be done very easily. ### Requirements [](#requirements) `HtmlSanitizer` has no external dependencies, only native PHP ones. Most of them are very common, and almost bundled with PHP 90% of the time - PHP >=7.0 - mbstring - libxml - dom ### Install [](#install) ``` composer require mirazmac/html-sanitizer dev-main ``` Usage ----- [](#usage) ``` use MirazMac\HtmlSanitizer\Whitelist; use MirazMac\HtmlSanitizer\Sanitizer; require_once '../vendor/autoload.php'; $whitelist = new Whitelist; // Allow the anchor tag with specific attributes $whitelist->allowTag('a', ['href', 'title', 'download', 'data-url', 'data-loaded']); // You can add multiple tags at once as well if that's what you prefer $whitelist->setTags( [ // allows the `abbr` tag and it's title attribute 'abbr' => ['title'], // allows only the em tag, any attributes would be stripped off 'em' => [], ], true ); // Set allowed hosts for the URL attributes on the `a` tag $whitelist->setAllowedHosts('a', ['google.com', 'facebook.com']); // Set the allowed protocols for this document $whitelist->setProtocols(['http', '//', 'https']); // Set a list of allowed values for an attribute's tag $whitelist->setAllowedValues('abbr', 'title', ['one', 'two', 'three']); // Set a list of custom attributes to be treated as URL (i.e to use the host & protocol filter) $whitelist->treatAttributesAsUrl(['data-url']); // Set a list of custom attributes to be treated as HTML Boolean (Not true/false ) (i.e their values would be set to blank or the name of the attribute itself) $whitelist->treatAttributesAsBoolean(['data-load']); // Create the sanitizer instance that uses this whitelist $htmlsanitizer = new Sanitizer($whitelist); // returns sanitized string $sanitizedHTML = $htmlsanitizer->sanitize('Google My URL would be removed'); echo "HTML Source Output: "; echo htmlspecialchars($sanitizedHTML); echo "Rendered Output:" . $sanitizedHTML; ``` Quirks ------ [](#quirks) - Currently doesn't support URL filtering on attributes that contain multiple URLs, for example: srcset Todos ----- [](#todos) - Full tests coverage - Write extended docs ### Health Score 24 — LowBetter than 31% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity14 Limited adoption so far Community7 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~85 days Total 2 Last Release 1625d ago Major Versions 0.1 → 1.0.02022-01-10 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/13865787?v=4)[Miraz Mac](/maintainers/mirazmac)[@MirazMac](https://github.com/MirazMac) --- Top Contributors [![MirazMac](https://avatars.githubusercontent.com/u/13865787?v=4)](https://github.com/MirazMac "MirazMac (9 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/mirazmac-html-sanitizer/health.svg) ``` [![Health](https://phpackages.com/badges/mirazmac-html-sanitizer/health.svg)](https://phpackages.com/packages/mirazmac-html-sanitizer) ``` ### Alternatives [chaoswey/taiwan-id-validator 台灣身分證、統一編號驗證 319.9k](/packages/chaoswey-taiwan-id-validator) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)