PHPackages                             symfony/html-sanitizer - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation &amp; Sanitization](/categories/validation)
4. /
5. symfony/html-sanitizer

ActiveLibrary[Validation &amp; Sanitization](/categories/validation)

symfony/html-sanitizer
======================

Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.

v8.1.1(3w ago)27941.7M—3.3%1320MITPHPPHP &gt;=8.4.1

Since Feb 25Pushed 6d ago3 watchersCompare

[ Source](https://github.com/symfony/html-sanitizer)[ Packagist](https://packagist.org/packages/symfony/html-sanitizer)[ Docs](https://symfony.com)[ Fund](https://symfony.com/sponsor)[ GitHub Sponsors](https://github.com/fabpot)[ RSS](/packages/symfony-html-sanitizer/feed)WikiDiscussions 8.2 Synced 2d ago

READMEChangelog (10)Dependencies (6)Versions (101)Used By (20)Security (5)

HtmlSanitizer Component
=======================

[](#htmlsanitizer-component)

The HtmlSanitizer component provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.

Usage
-----

[](#usage)

```
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;

// By default, an element not added to the allowed or blocked elements
// will be dropped, including its children
$config = (new HtmlSanitizerConfig())
    // Allow "safe" elements and attributes. All scripts will be removed
    // as well as other dangerous behaviors like CSS injection
    ->allowSafeElements()

    // Allow all static elements and attributes from the W3C Sanitizer API
    // standard. All scripts will be removed but the output may still contain
    // other dangerous behaviors like CSS injection (click-jacking), CSS
    // expressions, ...
    ->allowStaticElements()

    // Allow the "div" element and no attribute can be on it
    ->allowElement('div')

    // Allow the "a" element, and the "title" attribute to be on it
    ->allowElement('a', ['title'])

    // Allow the "span" element, and any attribute from the Sanitizer API is allowed
    // (see https://wicg.github.io/sanitizer-api/#default-configuration)
    ->allowElement('span', '*')

    // Block the "section" element: this element will be removed but
    // its children will be retained
    ->blockElement('section')

    // Drop the "div" element: this element will be removed, including its children
    ->dropElement('div')

    // Allow the attribute "title" on the "div" element
    ->allowAttribute('title', ['div'])

    // Allow the attribute "data-custom-attr" on all currently allowed elements
    ->allowAttribute('data-custom-attr', '*')

    // Drop the "data-custom-attr" attribute from the "div" element:
    // this attribute will be removed
    ->dropAttribute('data-custom-attr', ['div'])

    // Drop the "data-custom-attr" attribute from all elements:
    // this attribute will be removed
    ->dropAttribute('data-custom-attr', '*')

    // Forcefully set the value of all "rel" attributes on "a"
    // elements to "noopener noreferrer"
    ->forceAttribute('a', 'rel', 'noopener noreferrer')

    // Transform all HTTP schemes to HTTPS
    ->forceHttpsUrls()

    // Configure which schemes are allowed in links (others will be dropped)
    ->allowLinkSchemes(['https', 'http', 'mailto'])

    // Configure which hosts are allowed in links (by default all are allowed)
    ->allowLinkHosts(['symfony.com', 'example.com'])

    // Allow relative URL in links (by default they are dropped)
    ->allowRelativeLinks()

    // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped)
    ->allowMediaSchemes(['https', 'http'])

    // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed)
    ->allowMediaHosts(['symfony.com', 'example.com'])

    // Allow relative URL in img/audio/video/iframe (by default they are dropped)
    ->allowRelativeMedias()

    // Configure a custom attribute sanitizer to apply custom sanitization logic
    // ($attributeSanitizer instance of AttributeSanitizerInterface)
    ->withAttributeSanitizer($attributeSanitizer)

    // Unregister a previously registered attribute sanitizer
    // ($attributeSanitizer instance of AttributeSanitizerInterface)
    ->withoutAttributeSanitizer($attributeSanitizer)
;

$sanitizer = new HtmlSanitizer($config);

// Sanitize a given string, using the configuration provided and in the
// "body" context (tags only allowed in  will be removed)
$sanitizer->sanitize($userInput);

// Sanitize the given string for a usage in a  tag
$sanitizer->sanitizeFor('head', $userInput);

// Sanitize the given string for a usage in another tag
$sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities
$sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities
$sanitizer->sanitizeFor('div', $userInput); // Will sanitize as body
$sanitizer->sanitizeFor('section', $userInput); // Will sanitize as body
// ...
```

Sponsor
-------

[](#sponsor)

This package is looking for a [backer](https://symfony.com/backers).

Help Symfony by [sponsoring](https://symfony.com/sponsor) its development!

Resources
---------

[](#resources)

- [Contributing](https://symfony.com/doc/current/contributing/index.html)
- [Report issues](https://github.com/symfony/symfony/issues) and [send Pull Requests](https://github.com/symfony/symfony/pulls)in the [main Symfony repository](https://github.com/symfony/symfony)

###  Health Score

76

—

ExcellentBetter than 100% of packages

Maintenance97

Actively maintained with recent releases

Popularity69

Solid adoption and visibility

Community42

Growing community involvement

Maturity83

Battle-tested with a long release history

 Bus Factor1

Top contributor holds 55.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~15 days

Recently: every ~0 days

Total

101

Last Release

27d ago

Major Versions

v7.4.12 → v8.0.122026-05-20

v6.4.41 → v7.4.132026-05-24

v7.4.13 → v8.0.132026-05-24

6.4.x-dev → v7.4.142026-06-06

7.4.x-dev → 8.0.x-dev2026-06-06

PHP version history (4 changes)v6.1.0-BETA1PHP &gt;=8.1

v7.0.0-BETA1PHP &gt;=8.2

v8.0.0-BETA1PHP &gt;=8.4

v8.1.0-BETA1PHP &gt;=8.4.1

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/47313?v=4)[Fabien Potencier](/maintainers/fabpot)[@fabpot](https://github.com/fabpot)

---

Top Contributors

[![nicolas-grekas](https://avatars.githubusercontent.com/u/243674?v=4)](https://github.com/nicolas-grekas "nicolas-grekas (68 commits)")[![xabbuh](https://avatars.githubusercontent.com/u/1957048?v=4)](https://github.com/xabbuh "xabbuh (17 commits)")[![fabpot](https://avatars.githubusercontent.com/u/47313?v=4)](https://github.com/fabpot "fabpot (14 commits)")[![derrabus](https://avatars.githubusercontent.com/u/1506493?v=4)](https://github.com/derrabus "derrabus (5 commits)")[![javiereguiluz](https://avatars.githubusercontent.com/u/73419?v=4)](https://github.com/javiereguiluz "javiereguiluz (1 commits)")[![Jean-Beru](https://avatars.githubusercontent.com/u/6114779?v=4)](https://github.com/Jean-Beru "Jean-Beru (1 commits)")[![jmsche](https://avatars.githubusercontent.com/u/3929498?v=4)](https://github.com/jmsche "jmsche (1 commits)")[![keradus](https://avatars.githubusercontent.com/u/2716794?v=4)](https://github.com/keradus "keradus (1 commits)")[![lyrixx](https://avatars.githubusercontent.com/u/408368?v=4)](https://github.com/lyrixx "lyrixx (1 commits)")[![alexandre-daubois](https://avatars.githubusercontent.com/u/2144837?v=4)](https://github.com/alexandre-daubois "alexandre-daubois (1 commits)")[![omniError](https://avatars.githubusercontent.com/u/1885212?v=4)](https://github.com/omniError "omniError (1 commits)")[![OskarStark](https://avatars.githubusercontent.com/u/995707?v=4)](https://github.com/OskarStark "OskarStark (1 commits)")[![pierres](https://avatars.githubusercontent.com/u/977535?v=4)](https://github.com/pierres "pierres (1 commits)")[![santysisi](https://avatars.githubusercontent.com/u/107224084?v=4)](https://github.com/santysisi "santysisi (1 commits)")[![Seldaek](https://avatars.githubusercontent.com/u/183678?v=4)](https://github.com/Seldaek "Seldaek (1 commits)")[![smnandre](https://avatars.githubusercontent.com/u/1359581?v=4)](https://github.com/smnandre "smnandre (1 commits)")[![Spomky](https://avatars.githubusercontent.com/u/1091072?v=4)](https://github.com/Spomky "Spomky (1 commits)")[![stloyd](https://avatars.githubusercontent.com/u/67402?v=4)](https://github.com/stloyd "stloyd (1 commits)")[![tgalopin](https://avatars.githubusercontent.com/u/1651494?v=4)](https://github.com/tgalopin "tgalopin (1 commits)")[![momito69](https://avatars.githubusercontent.com/u/95021548?v=4)](https://github.com/momito69 "momito69 (1 commits)")

---

Tags

componenthtmlphppurifiersanitizersymfonysymfony-componenthtmlsanitizerPurifier

### Embed Badge

![Health badge](/badges/symfony-html-sanitizer/health.svg)

```
[![Health](https://phpackages.com/badges/symfony-html-sanitizer/health.svg)](https://phpackages.com/packages/symfony-html-sanitizer)
```

###  Alternatives

[ezyang/htmlpurifier

Standards compliant HTML filter written in PHP

3.3k352.1M604](/packages/ezyang-htmlpurifier)[craftcms/cms

Craft CMS

3.6k3.6M3.1k](/packages/craftcms-cms)[stevebauman/purify

An HTML Purifier / Sanitizer for Laravel

5396.5M34](/packages/stevebauman-purify)[xemlock/htmlpurifier-html5

HTML5 support for HTML Purifier

1053.2M18](/packages/xemlock-htmlpurifier-html5)[arondeparon/laravel-request-sanitizer

An easy to use request sanitizer that allows you to sanitize your form data before validating it.

112160.9k4](/packages/arondeparon-laravel-request-sanitizer)[form-manager/form-manager

PHP-HTML form manager

15542.6k7](/packages/form-manager-form-manager)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
