PHPackages                             tgalopin/html-sanitizer - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation &amp; Sanitization](/categories/validation)
4. /
5. tgalopin/html-sanitizer

Abandoned → [symfony/html-sanitizer](/?search=symfony%2Fhtml-sanitizer)ArchivedLibrary[Validation &amp; Sanitization](/categories/validation)

tgalopin/html-sanitizer
=======================

Sanitize untrustworthy HTML user input

1.5.0(4y ago)3665.8M↓49.1%40[20 issues](https://github.com/tgalopin/html-sanitizer/issues)[5 PRs](https://github.com/tgalopin/html-sanitizer/pulls)7MITPHPPHP &gt;=7.1

Since Oct 16Pushed 4y ago1 watchersCompare

[ Source](https://github.com/tgalopin/html-sanitizer)[ Packagist](https://packagist.org/packages/tgalopin/html-sanitizer)[ RSS](/packages/tgalopin-html-sanitizer/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (9)Dependencies (5)Versions (15)Used By (7)

html-sanitizer
==============

[](#html-sanitizer)

> This library is deprecated as it was merged into Symfony as the HtmlSanitizer component in Symfony 6.1: [https://symfony.com/doc/current/html\_sanitizer.html](https://symfony.com/doc/current/html_sanitizer.html)

[![Build Status](https://camo.githubusercontent.com/5de4444eb039b6d41b20310dca675f82e0dd883b8eb13990300225180d400314/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f7467616c6f70696e2f68746d6c2d73616e6974697a65722f6d61737465722e7376673f7374796c653d666c61742d737175617265)](https://travis-ci.org/tgalopin/html-sanitizer)[![Packagist Version](https://camo.githubusercontent.com/f3d5e16b3e66e3baf3bcfdf82d660825f6b961568277323a963ce4c499126680/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7467616c6f70696e2f68746d6c2d73616e6974697a65722e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/tgalopin/html-sanitizer)[![Software license](https://camo.githubusercontent.com/bc8702e73f19b7186daf28e310e8895ed45b194350b8b66ba75e73ae5eaeb3c8/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f7467616c6f70696e2f68746d6c2d73616e6974697a65722e7376673f7374796c653d666c61742d737175617265)](https://github.com/tgalopin/html-sanitizer/blob/master/LICENSE)

[![SymfonyInsight](https://camo.githubusercontent.com/59fe70f6d5e333e9e6ff39efae27d32fdd341c23ebda92858e6fd40fe34e6057/68747470733a2f2f696e73696768742e73796d666f6e792e636f6d2f70726f6a656374732f62656664356135622d353734632d346265612d396334662d3361643230323732396131622f6269672e737667)](https://insight.symfony.com/projects/befd5a5b-574c-4bea-9c4f-3ad202729a1b)

html-sanitizer is a library aiming at handling, cleaning and sanitizing HTML sent by external users (who you cannot trust), allowing you to store it and display it safely. It has sensible defaults to provide a great developer experience while still being entirely configurable.

Internally, the sanitizer has a deep understanding of HTML: it parses the input and create a tree of DOMNode objects, which it uses to keep only the safe elements from the content. By using this technique, it is safe (it works with a strict whitelist), fast and easily extensible.

It also provides useful features such as the possibility to transform images or iframes URLs to HTTPS.

Symfony integration
-------------------

[](#symfony-integration)

This library is also available as [a Symfony bundle](https://github.com/tgalopin/html-sanitizer-bundle).

Documentation
-------------

[](#documentation)

1. [Getting started](https://github.com/tgalopin/html-sanitizer/blob/master/docs/1-getting-started.md)
2. [Creating an extension to allow custom tags](https://github.com/tgalopin/html-sanitizer/blob/master/docs/2-creating-an-extension-to-allow-custom-tags.md)
3. [Configuration reference](https://github.com/tgalopin/html-sanitizer/blob/master/docs/3-configuration-reference.md)
4. [Comparison with HTMLPurifier](https://github.com/tgalopin/html-sanitizer/blob/master/docs/4-comparison-with-htmlpurifier.md)

Security Issues
---------------

[](#security-issues)

If you discover a security vulnerability within the sanitizer, please follow [our disclosure procedure](https://github.com/tgalopin/html-sanitizer/blob/master/docs/A-security-disclosure-procedure.md).

Backward Compatibility promise
------------------------------

[](#backward-compatibility-promise)

This library follows the same Backward Compatibility promise as the Symfony framework:

> *Note*: many classes in this library are either marked `@final` or `@internal`. `@internal` classes are excluded from any Backward Compatiblity promise (you should not use them in your code) whereas `@final` classes can be used but should not be extended (use composition instead).

Thanks
------

[](#thanks)

Many thanks to:

- [The Open Web Application Security Project](https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project)from which many of the tests of this library are extracted (more specifically from [OWASP/java-html-sanitizer](https://github.com/OWASP/java-html-sanitizer)) ;
- [Masterminds/html5-php](https://github.com/Masterminds/html5-php) which is a great HTML5 parser, used by default in this library ;
- [The PHP League URI parser](http://uri.thephpleague.com/) which allows this library to filter hosts safely ;

###  Health Score

47

—

FairBetter than 93% of packages

Maintenance19

Infrequent updates — may be unmaintained

Popularity63

Solid adoption and visibility

Community29

Small or concentrated contributor base

Maturity64

Established project with proven stability

 Bus Factor1

Top contributor holds 87.1% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~88 days

Recently: every ~254 days

Total

13

Last Release

1754d ago

Major Versions

0.5.0 → 1.0.02018-11-18

### Community

Maintainers

![](https://www.gravatar.com/avatar/bf5cd47f55eb8a801bab7ce80901bada792f1d5fef54678852b118e189e92606?d=identicon)[tgalopin](/maintainers/tgalopin)

---

Top Contributors

[![tgalopin](https://avatars.githubusercontent.com/u/1651494?v=4)](https://github.com/tgalopin "tgalopin (81 commits)")[![norkunas](https://avatars.githubusercontent.com/u/2722872?v=4)](https://github.com/norkunas "norkunas (2 commits)")[![Lctrs](https://avatars.githubusercontent.com/u/5477973?v=4)](https://github.com/Lctrs "Lctrs (2 commits)")[![olegatro](https://avatars.githubusercontent.com/u/4980366?v=4)](https://github.com/olegatro "olegatro (1 commits)")[![paragonie-security](https://avatars.githubusercontent.com/u/15914520?v=4)](https://github.com/paragonie-security "paragonie-security (1 commits)")[![snebes](https://avatars.githubusercontent.com/u/666333?v=4)](https://github.com/snebes "snebes (1 commits)")[![sukant-kar](https://avatars.githubusercontent.com/u/69027716?v=4)](https://github.com/sukant-kar "sukant-kar (1 commits)")[![fbastien](https://avatars.githubusercontent.com/u/1044141?v=4)](https://github.com/fbastien "fbastien (1 commits)")[![voku](https://avatars.githubusercontent.com/u/264695?v=4)](https://github.com/voku "voku (1 commits)")[![javiereguiluz](https://avatars.githubusercontent.com/u/73419?v=4)](https://github.com/javiereguiluz "javiereguiluz (1 commits)")[![martijnve](https://avatars.githubusercontent.com/u/2990030?v=4)](https://github.com/martijnve "martijnve (1 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/tgalopin-html-sanitizer/health.svg)

```
[![Health](https://phpackages.com/badges/tgalopin-html-sanitizer/health.svg)](https://phpackages.com/packages/tgalopin-html-sanitizer)
```

###  Alternatives

[symfony/symfony

The Symfony PHP framework

31.4k87.2M2.2k](/packages/symfony-symfony)[symfony/http-kernel

Provides a structured process for converting a Request into a Response

8.1k869.4M8.8k](/packages/symfony-http-kernel)[drupal/core

Drupal is an open source content management platform powering millions of websites and applications.

21866.0M1.7k](/packages/drupal-core)[symfony/cache

Provides extended PSR-6, PSR-16 (and tags) implementations

4.2k373.5M3.3k](/packages/symfony-cache)[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.7k38.9k](/packages/matomo-matomo)[drupal/core-recommended

Locked core dependencies; require this project INSTEAD OF drupal/core.

6942.5M420](/packages/drupal-core-recommended)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
