PHPackages tgalopin/html-sanitizer-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Validation & Sanitization](/categories/validation) 4. / 5. tgalopin/html-sanitizer-bundle Abandoned → [symfony/html-sanitizer](/?search=symfony%2Fhtml-sanitizer)Symfony-bundle[Validation & Sanitization](/categories/validation) tgalopin/html-sanitizer-bundle ============================== Symfony Bundle for https://github.com/tgalopin/html-sanitizer 1.4.0(4y ago)84995.4k—3%10[1 PRs](https://github.com/tgalopin/html-sanitizer-bundle/pulls)2MITPHPPHP >=7.1 Since Oct 16Pushed 2y ago3 watchersCompare [ Source](https://github.com/tgalopin/html-sanitizer-bundle)[ Packagist](https://packagist.org/packages/tgalopin/html-sanitizer-bundle)[ RSS](/packages/tgalopin-html-sanitizer-bundle/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (9)Dependencies (6)Versions (13)Used By (2) html-sanitizer-bundle ===================== [](#html-sanitizer-bundle) [![Packagist Version](https://camo.githubusercontent.com/e4a4af552108b107b55aa6e4135eaf926c0b65decb193b1539e64a6f4ec6622c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7467616c6f70696e2f68746d6c2d73616e6974697a65722d62756e646c652e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/tgalopin/html-sanitizer-bundle)[![Software license](https://camo.githubusercontent.com/fbc3d8e91058b6569cfbc9eee60d804b2ed416a4b1fe5d87d8b2b723c48f7e19/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f7467616c6f70696e2f68746d6c2d73616e6974697a65722d62756e646c652e7376673f7374796c653d666c61742d737175617265)](https://github.com/tgalopin/html-sanitizer-bundle/blob/master/LICENSE) [html-sanitizer](https://github.com/tgalopin/html-sanitizer)is a library aiming at handling, cleaning and sanitizing HTML sent by external users (who you cannot trust), allowing you to store it and display it safely. It has sensible defaults to provide a great developer experience while still being entierely configurable. This repository is a Symfony bundle integrating the [html-sanitizer](https://github.com/tgalopin/html-sanitizer)library into Symfony applications. It provides helpful tools on top of the sanitizer to easily use it in Symfony. - [Installation](#installation) - [Configuration](#configuration) - [Usage in services](#usage-in-services) - [Usage in forms](#usage-in-forms) - [Usage in Twig](#usage-in-twig) - [Registering an extension](#registering-an-extension) - [Security issues](#security-issues) - [Backward Compatibility promise](#backward-compatibility-promise) Installation ------------ [](#installation) html-sanitizer-bundle requires PHP 7.1+ and Symfony 3.4+. You can install the bundle using Symfony Flex: ``` composer require tgalopin/html-sanitizer-bundle ``` Configuration ------------- [](#configuration) You can configure the bundle using the `html_sanitizer` configuration section: ``` # config/packages/html_sanitizer.yaml html_sanitizer: default_sanitizer: 'default' sanitizers: default: extensions: ['basic', 'image', 'list'] tags: img: allowed_hosts: ['127.0.0.1', 'mywebsite.com', 'youtube.com'] force_https: true admin_content: extensions: ['basic', 'image', 'list'] ``` As you see, you can have multiple sanitizers available at the same time in your application. Have a look at the [library documentation](https://github.com/tgalopin/html-sanitizer) to learn all the available configuration options for the sanitizers themselves. Usage in services ----------------- [](#usage-in-services) This bundle provides the configured sanitizer for autowiring using the interface `HtmlSanitizer\SanitizerInterface`. This autowiring will target the default sanitizer defined in the bundle configuration. This means that if you are using autowiring, you can simply typehint `SanitizerInterface` in any of your services to get the default sanitizer: ``` use HtmlSanitizer\SanitizerInterface; class MyService { private $sanitizer; public function __construct(SanitizerInterface $sanitizer) { $this->sanitizer = $sanitizer; } // ... } ``` The same goes for controllers: ``` use HtmlSanitizer\SanitizerInterface; class MyController { public function index(SanitizerInterface $sanitizer) { // ... } } ``` If you are not using autowiring, you can inject the `html_sanitizer` service into your services manually to get the default sanitizer. If you need to access other sanitizers than the default one in your services, you can either: 1. inject a specific sanitizer by injecting it with your services configuration as `html_sanitizer.` (for instance, `html_sanitizer.admin_content`) ; 2. use the sanitizers registry by injecting it with your services configuration as `html_sanitizer.registry`. It is a service locator mapping all the sanitizers available: ``` use Psr\Container\ContainerInterface; class MyService { public function __construct(ContainerInterface $sanitizers) { // $sanitizers->get('admin_content') ... } } ``` Usage in forms -------------- [](#usage-in-forms) > This applies only if you have installed the Symfony Form component. The main usage of the html-sanitizer is in combination with forms. This bundle provides a TextType extension which allows you to automatically sanitize HTML of any text field or any field based on the TextType (TextareaType, SearchType, etc.). To use it in any of your forms, you can use the `sanitize_html` option: ``` class MyFormType extends AbstractType { public function buildForm(FormBuilderInterface $builder, array $options) { $builder ->add('content', TextareaType::class, ['sanitize_html' => true]) ; } } ``` To use a different sanitizer than the default one, use the `sanitizer` option: ``` class MyFormType extends AbstractType { public function buildForm(FormBuilderInterface $builder, array $options) { $builder ->add('content', TextareaType::class, ['sanitize_html' => true, 'sanitizer' => 'admin_content']) ; } } ``` Usage in Twig ------------- [](#usage-in-twig) > This applies only if you have installed the Twig bundle. A `sanitize_html` Twig filter is provided through an extension, letting you filter HTML inside your views. ``` {{ html|sanitize_html }} ``` To use a different sanitizer than the default one, add an argument to the filter: ``` {{ html|sanitize_html('admin_content') }} ``` Registering an extension ------------------------ [](#registering-an-extension) If you use autoconfiguration, classes implementing the `HtmlSanitizer\Extension\ExtensionInterface` interface will be automatically registered and you can use them in your sanitizer configuration: ``` html_sanitizer: default_sanitizer: 'default' sanitizers: default: extensions: ['basic', 'my-extension'] ``` If you don't use autoconfiguration, you need to register your extension as a service tagged `html_sanitizer.extension`: ``` services: app.sanitizer.my_extension: class: 'App\Sanitizer\MyExtension' tags: [{ name: 'html_sanitizer.extension' }] ``` Security Issues --------------- [](#security-issues) If you discover a security vulnerability within the sanitizer bundle or library, please follow [our disclosure procedure](https://github.com/tgalopin/html-sanitizer/blob/master/docs/A-security-disclosure-procedure.md). Backward Compatibility promise ------------------------------ [](#backward-compatibility-promise) This library follows the same Backward Compatibility promise as the Symfony framework: > *Note*: many classes in this library are either marked `@final` or `@internal`. `@internal` classes are excluded from any Backward Compatiblity promise (you should not use them in your code) whereas `@final` classes can be used but should not be extended (use composition instead). ### Health Score 43 — FairBetter than 91% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity52 Moderate usage in the ecosystem Community22 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor1 Top contributor holds 85.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~103 days Recently: every ~238 days Total 12 Last Release 1635d ago Major Versions 0.4.0 → 1.0.02018-11-19 ### Community Maintainers ![](https://www.gravatar.com/avatar/bf5cd47f55eb8a801bab7ce80901bada792f1d5fef54678852b118e189e92606?d=identicon)[tgalopin](/maintainers/tgalopin) --- Top Contributors [![tgalopin](https://avatars.githubusercontent.com/u/1651494?v=4)](https://github.com/tgalopin "tgalopin (40 commits)")[![javiereguiluz](https://avatars.githubusercontent.com/u/73419?v=4)](https://github.com/javiereguiluz "javiereguiluz (3 commits)")[![fbastien](https://avatars.githubusercontent.com/u/1044141?v=4)](https://github.com/fbastien "fbastien (1 commits)")[![norkunas](https://avatars.githubusercontent.com/u/2722872?v=4)](https://github.com/norkunas "norkunas (1 commits)")[![stof](https://avatars.githubusercontent.com/u/439401?v=4)](https://github.com/stof "stof (1 commits)")[![yceruto](https://avatars.githubusercontent.com/u/2028198?v=4)](https://github.com/yceruto "yceruto (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/tgalopin-html-sanitizer-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/tgalopin-html-sanitizer-bundle/health.svg)](https://phpackages.com/packages/tgalopin-html-sanitizer-bundle) ``` ### Alternatives [rollerworks/password-strength-bundle Password-strength validator bundle for Symfony 1433.7M6](/packages/rollerworks-password-strength-bundle)[j-ben87/parsley-bundle Convert Symfony constraints into data-attributes for client-side validation with Parsley. 1432.7k](/packages/j-ben87-parsley-bundle)[superbrave/gdpr-bundle A Symfony bundle for using entity annotations according to GDPR requirements and anonymizing/exporting data 1120.0k](/packages/superbrave-gdpr-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)