PHPackages symfony/html-sanitizer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. symfony/html-sanitizer ActiveLibrary[Validation & Sanitization](/categories/validation) symfony/html-sanitizer ====================== Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM. v8.0.7(2mo ago)27932.2M—0.1%1220MITPHPPHP >=8.4 Since Feb 25Pushed 1w ago3 watchersCompare [ Source](https://github.com/symfony/html-sanitizer)[ Packagist](https://packagist.org/packages/symfony/html-sanitizer)[ Docs](https://symfony.com)[ Fund](https://symfony.com/sponsor)[ GitHub Sponsors](https://github.com/fabpot)[ RSS](/packages/symfony-html-sanitizer/feed)WikiDiscussions 8.1 Synced 1mo ago READMEChangelog (10)Dependencies (2)Versions (85)Used By (20) HtmlSanitizer Component ======================= [](#htmlsanitizer-component) The HtmlSanitizer component provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM. Usage ----- [](#usage) ``` use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig; use Symfony\Component\HtmlSanitizer\HtmlSanitizer; // By default, an element not added to the allowed or blocked elements // will be dropped, including its children $config = (new HtmlSanitizerConfig()) // Allow "safe" elements and attributes. All scripts will be removed // as well as other dangerous behaviors like CSS injection ->allowSafeElements() // Allow all static elements and attributes from the W3C Sanitizer API // standard. All scripts will be removed but the output may still contain // other dangerous behaviors like CSS injection (click-jacking), CSS // expressions, ... ->allowStaticElements() // Allow the "div" element and no attribute can be on it ->allowElement('div') // Allow the "a" element, and the "title" attribute to be on it ->allowElement('a', ['title']) // Allow the "span" element, and any attribute from the Sanitizer API is allowed // (see https://wicg.github.io/sanitizer-api/#default-configuration) ->allowElement('span', '*') // Block the "section" element: this element will be removed but // its children will be retained ->blockElement('section') // Drop the "div" element: this element will be removed, including its children ->dropElement('div') // Allow the attribute "title" on the "div" element ->allowAttribute('title', ['div']) // Allow the attribute "data-custom-attr" on all currently allowed elements ->allowAttribute('data-custom-attr', '*') // Drop the "data-custom-attr" attribute from the "div" element: // this attribute will be removed ->dropAttribute('data-custom-attr', ['div']) // Drop the "data-custom-attr" attribute from all elements: // this attribute will be removed ->dropAttribute('data-custom-attr', '*') // Forcefully set the value of all "rel" attributes on "a" // elements to "noopener noreferrer" ->forceAttribute('a', 'rel', 'noopener noreferrer') // Transform all HTTP schemes to HTTPS ->forceHttpsUrls() // Configure which schemes are allowed in links (others will be dropped) ->allowLinkSchemes(['https', 'http', 'mailto']) // Configure which hosts are allowed in links (by default all are allowed) ->allowLinkHosts(['symfony.com', 'example.com']) // Allow relative URL in links (by default they are dropped) ->allowRelativeLinks() // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped) ->allowMediaSchemes(['https', 'http']) // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed) ->allowMediaHosts(['symfony.com', 'example.com']) // Allow relative URL in img/audio/video/iframe (by default they are dropped) ->allowRelativeMedias() // Configure a custom attribute sanitizer to apply custom sanitization logic // ($attributeSanitizer instance of AttributeSanitizerInterface) ->withAttributeSanitizer($attributeSanitizer) // Unregister a previously registered attribute sanitizer // ($attributeSanitizer instance of AttributeSanitizerInterface) ->withoutAttributeSanitizer($attributeSanitizer) ; $sanitizer = new HtmlSanitizer($config); // Sanitize a given string, using the configuration provided and in the // "body" context (tags only allowed in will be removed) $sanitizer->sanitize($userInput); // Sanitize the given string for a usage in a tag $sanitizer->sanitizeFor('head', $userInput); // Sanitize the given string for a usage in another tag $sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities $sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities $sanitizer->sanitizeFor('div', $userInput); // Will sanitize as body $sanitizer->sanitizeFor('section', $userInput); // Will sanitize as body // ... ``` Resources --------- [](#resources) - [Contributing](https://symfony.com/doc/current/contributing/index.html) - [Report issues](https://github.com/symfony/symfony/issues) and [send Pull Requests](https://github.com/symfony/symfony/pulls)in the [main Symfony repository](https://github.com/symfony/symfony) ### Health Score 74 — ExcellentBetter than 100% of packages Maintenance92 Actively maintained with recent releases Popularity68 Solid adoption and visibility Community39 Small or concentrated contributor base Maturity82 Battle-tested with a long release history Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~17 days Recently: every ~0 days Total 85 Last Release 73d ago Major Versions v7.4.0-BETA1 → v8.0.0-BETA12025-10-01 v6.4.28 → 7.3.x-dev2025-10-30 v7.4.0-RC1 → v8.0.0-BETA22025-10-30 v6.4.35 → 7.4.x-dev2026-03-06 v7.4.7 → v8.0.72026-03-06 PHP version history (3 changes)v6.1.0-BETA1PHP >=8.1 v7.0.0-BETA1PHP >=8.2 v8.0.0-BETA1PHP >=8.4 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/47313?v=4)[Fabien Potencier](/maintainers/fabpot)[@fabpot](https://github.com/fabpot) --- Top Contributors [![nicolas-grekas](https://avatars.githubusercontent.com/u/243674?v=4)](https://github.com/nicolas-grekas "nicolas-grekas (41 commits)")[![xabbuh](https://avatars.githubusercontent.com/u/1957048?v=4)](https://github.com/xabbuh "xabbuh (17 commits)")[![fabpot](https://avatars.githubusercontent.com/u/47313?v=4)](https://github.com/fabpot "fabpot (14 commits)")[![derrabus](https://avatars.githubusercontent.com/u/1506493?v=4)](https://github.com/derrabus "derrabus (5 commits)")[![tgalopin](https://avatars.githubusercontent.com/u/1651494?v=4)](https://github.com/tgalopin "tgalopin (4 commits)")[![Jean-Beru](https://avatars.githubusercontent.com/u/6114779?v=4)](https://github.com/Jean-Beru "Jean-Beru (1 commits)")[![jmsche](https://avatars.githubusercontent.com/u/3929498?v=4)](https://github.com/jmsche "jmsche (1 commits)")[![keradus](https://avatars.githubusercontent.com/u/2716794?v=4)](https://github.com/keradus "keradus (1 commits)")[![lyrixx](https://avatars.githubusercontent.com/u/408368?v=4)](https://github.com/lyrixx "lyrixx (1 commits)")[![momito69](https://avatars.githubusercontent.com/u/95021548?v=4)](https://github.com/momito69 "momito69 (1 commits)")[![cedric-anne](https://avatars.githubusercontent.com/u/33253653?v=4)](https://github.com/cedric-anne "cedric-anne (1 commits)")[![omniError](https://avatars.githubusercontent.com/u/1885212?v=4)](https://github.com/omniError "omniError (1 commits)")[![OskarStark](https://avatars.githubusercontent.com/u/995707?v=4)](https://github.com/OskarStark "OskarStark (1 commits)")[![pierres](https://avatars.githubusercontent.com/u/977535?v=4)](https://github.com/pierres "pierres (1 commits)")[![santysisi](https://avatars.githubusercontent.com/u/107224084?v=4)](https://github.com/santysisi "santysisi (1 commits)")[![Seldaek](https://avatars.githubusercontent.com/u/183678?v=4)](https://github.com/Seldaek "Seldaek (1 commits)")[![smnandre](https://avatars.githubusercontent.com/u/1359581?v=4)](https://github.com/smnandre "smnandre (1 commits)")[![Spomky](https://avatars.githubusercontent.com/u/1091072?v=4)](https://github.com/Spomky "Spomky (1 commits)")[![stloyd](https://avatars.githubusercontent.com/u/67402?v=4)](https://github.com/stloyd "stloyd (1 commits)")[![bonroyage](https://avatars.githubusercontent.com/u/4411748?v=4)](https://github.com/bonroyage "bonroyage (1 commits)") --- Tags componenthtmlphppurifiersanitizersymfonysymfony-componenthtmlsanitizerPurifier ### Embed Badge ![Health badge](/badges/symfony-html-sanitizer/health.svg) ``` [![Health](https://phpackages.com/badges/symfony-html-sanitizer/health.svg)](https://phpackages.com/packages/symfony-html-sanitizer) ``` ### Alternatives [ezyang/htmlpurifier Standards compliant HTML filter written in PHP 3.3k327.6M445](/packages/ezyang-htmlpurifier)[stevebauman/purify An HTML Purifier / Sanitizer for Laravel 5325.6M19](/packages/stevebauman-purify)[xemlock/htmlpurifier-html5 HTML5 support for HTML Purifier 1052.9M11](/packages/xemlock-htmlpurifier-html5)[arondeparon/laravel-request-sanitizer An easy to use request sanitizer that allows you to sanitize your form data before validating it. 112151.6k1](/packages/arondeparon-laravel-request-sanitizer)[form-manager/form-manager PHP-HTML form manager 16041.0k7](/packages/form-manager-form-manager)[aura/input This package contains tools to describe and filter user inputs from an HTML form, including sub-forms/sub-fieldsets, fieldset collections, an interface for injecting custom filter systems, and CSRF protection. Note that this package does not include output functionality, although the "hints" provided by the Form object can be used with any presentation system to generate an HTML form. 6678.4k4](/packages/aura-input) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)