PHPackages                             totara/htmlpurifier-html5 - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation &amp; Sanitization](/categories/validation)
4. /
5. totara/htmlpurifier-html5

ActiveLibrary[Validation &amp; Sanitization](/categories/validation)

totara/htmlpurifier-html5
=========================

HTML5 support for HTML Purifier

v0.1.12(7mo ago)05.4k↓17.9%MITPHP &gt;=5.3

Since Sep 25Pushed 7mo agoCompare

[ Source](https://github.com/totara/htmlpurifier-html5)[ Packagist](https://packagist.org/packages/totara/htmlpurifier-html5)[ Docs](https://github.com/xemlock/htmlpurifier-html5)[ RSS](/packages/totara-htmlpurifier-html5/feed)WikiDiscussions totara Synced 1mo ago

READMEChangelog (1)Dependencies (4)Versions (2)Used By (0)

HTML5 Definitions for HTML Purifier
===================================

[](#html5-definitions-for-html-purifier)

This is a Totara-specific fork of the HTML5 Purifier definition.

This library provides HTML5 element definitions for [HTML Purifier](https://github.com/ezyang/htmlpurifier), compliant with the [WHATWG spec](https://html.spec.whatwg.org/).

It is the most complete HTML5-compliant solution among all based on HTML Purifier. Apart from providing the most extensive set of element definitions, it provides tidy/sanitization rules for transforming the input into a valid HTML5 output.

Installation
------------

[](#installation)

Install with [Composer](https://getcomposer.org/) by running the following command:

```
composer require xemlock/htmlpurifier-html5

```

Usage
-----

[](#usage)

The most basic usage is similar to the original HTML Purifier. Create a HTML5-compatible config using `HTMLPurifier_HTML5Config::createDefault()` factory method, and then pass it to an `HTMLPurifier` instance:

```
$config = HTMLPurifier_HTML5Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html5 = $purifier->purify($dirty_html5);
```

To modify the config you can either instantiate the config with a configuration array passed to `HTMLPurifier_HTML5Config::create()`, or by calling `set` method on an already existing config instance.

For example, to allow `IFRAME`s with Youtube videos you can do the following:

```
$config = HTMLPurifier_HTML5Config::create(array(
  'HTML.SafeIframe' => true,
  'URI.SafeIframeRegexp' => '%^//www\.youtube\.com/embed/%',
));
```

or equivalently:

```
$config = HTMLPurifier_HTML5Config::createDefault();
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^//www\.youtube\.com/embed/%');
```

Configuration
-------------

[](#configuration)

Apart from HTML Purifier's built-in [configuration directives](http://htmlpurifier.org/live/configdoc/plain.html), the following new directives are also supported:

- **Attr.AllowedInputTypes**

    Version added: 0.1.12
    Type: [Lookup](http://htmlpurifier.org/live/configdoc/plain.html#type-lookup) (or null)
    Default: `null`

    List of allowed input types, chosen from the types defined in the spec. By default, the setting is `null`, meaning there is no restriction on allowed types. Empty array means that no explicit `type` attributes are allowed, effectively making all inputs a text inputs.
- **HTML.Forms**

    Version added: 0.1.12
    Type: [Boolean](http://htmlpurifier.org/live/configdoc/plain.html#type-bool)
    Default: `false`

    Whether or not to permit form elements in the user input, regardless of [%HTML.Trusted](http://htmlpurifier.org/live/configdoc/plain.html#HTML.Trusted) value. Please be very careful when using this functionality, as enabling forms in untrusted documents may allow for phishing attacks.
- **HTML.IframeAllowFullscreen**

    Version added: 0.1.11
    Type: [Boolean](http://htmlpurifier.org/live/configdoc/plain.html#type-bool)
    Default: `false`

    Whether or not to permit `allowfullscreen` attribute on `iframe` tags. It requires either [%HTML.SafeIframe](http://htmlpurifier.org/live/configdoc/plain.html#HTML.SafeIframe) or [%HTML.Trusted](http://htmlpurifier.org/live/configdoc/plain.html#HTML.Trusted) to be `true`.
- **HTML.Link**

    Version added: 0.1.12
    Type: [Boolean](http://htmlpurifier.org/live/configdoc/plain.html#type-bool)
    Default: `false`

    Permit the `link` tags in the user input, regardless of [%HTML.Trusted](http://htmlpurifier.org/live/configdoc/plain.html#HTML.Trusted) value. This effectively allows `link` tags without allowing other untrusted elements.

    If enabled, URIs in `link` tags will not be matched against a whitelist specified in %URI.SafeLinkRegexp (unless %HTML.SafeIframe is also enabled).
- **HTML.SafeLink**

    Version added: 0.1.12
    Type: [Boolean](http://htmlpurifier.org/live/configdoc/plain.html#type-bool)
    Default: `false`

    Whether to permit `link` tags in untrusted documents. This directive must be accompanied by a whitelist of permitted URIs via %URI.SafeLinkRegexp, otherwise no `link` tags will be allowed.
- **HTML.XHTML**

    Version added: 0.1.12
    Type: [Boolean](http://htmlpurifier.org/live/configdoc/plain.html#type-bool)
    Default: `false`

    While deprecated in HTML 4.01 / XHTML 1.0 context, in HTML5 it's used for enabling support for namespaced attributes and XML self-closing tags.

    When enabled it causes `xml:lang` attribute to take precedence over `lang`, when both attributes are present on the same element.
- **URI.SafeLinkRegexp**

    Version added: 0.1.12
    Type: [String](http://htmlpurifier.org/live/configdoc/plain.html#type-string)
    Default: `null`

    A PCRE regular expression that will be matched against a `` URI. This directive only has an effect if %HTML.SafeLink is enabled. Here are some example values: `%^https?://localhost/%` - Allow localhost URIs

    Use `Attr.AllowedRel` to control permitted link relationship types.

Supported HTML5 elements
------------------------

[](#supported-html5-elements)

Aside from HTML elements supported originally by HTML Purifier, this library adds support for the following HTML5 elements:

``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``, ``

as well as HTML5 attributes added to existing HTML elements, such as:

``, ``, ``, ``, ``

License
-------

[](#license)

The MIT License (MIT). See the LICENSE file.

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance62

Regular maintenance activity

Popularity25

Limited adoption so far

Community14

Small or concentrated contributor base

Maturity20

Early-stage or recently created project

 Bus Factor1

Top contributor holds 94% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

235d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/ae8f931f9c95df62e378105a5ec7ad82447b496bda43fd39b3f1f09697d26aba?d=identicon)[totara](/maintainers/totara)

![](https://www.gravatar.com/avatar/654ac6b1ad4fd1c52ca53449905ed2fba0207dd3afa5cc163683aab883878ddc?d=identicon)[codytotara](/maintainers/codytotara)

---

Top Contributors

[![xemlock](https://avatars.githubusercontent.com/u/952555?v=4)](https://github.com/xemlock "xemlock (218 commits)")[![sherbrow](https://avatars.githubusercontent.com/u/1212399?v=4)](https://github.com/sherbrow "sherbrow (5 commits)")[![bytestream](https://avatars.githubusercontent.com/u/1788397?v=4)](https://github.com/bytestream "bytestream (4 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)")[![fossabot](https://avatars.githubusercontent.com/u/29791463?v=4)](https://github.com/fossabot "fossabot (1 commits)")[![mbrodala](https://avatars.githubusercontent.com/u/5037116?v=4)](https://github.com/mbrodala "mbrodala (1 commits)")[![codyfinegan](https://avatars.githubusercontent.com/u/44886?v=4)](https://github.com/codyfinegan "codyfinegan (1 commits)")[![codebymikey](https://avatars.githubusercontent.com/u/9484406?v=4)](https://github.com/codebymikey "codebymikey (1 commits)")

---

Tags

validatorsecurityhtmlPurifierHTML5htmlpurifierxsstidy

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/totara-htmlpurifier-html5/health.svg)

```
[![Health](https://phpackages.com/badges/totara-htmlpurifier-html5/health.svg)](https://phpackages.com/packages/totara-htmlpurifier-html5)
```

###  Alternatives

[xemlock/htmlpurifier-html5

HTML5 support for HTML Purifier

1052.9M11](/packages/xemlock-htmlpurifier-html5)[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k16.7M113](/packages/mews-purifier)[stevebauman/purify

An HTML Purifier / Sanitizer for Laravel

5325.6M19](/packages/stevebauman-purify)[luketowers/purifier

Laravel 5 HtmlPurifier Package

3280.0k9](/packages/luketowers-purifier)[stolz/laravel-html-tidy

HTML Tidy middleware for Laravel

268.7k](/packages/stolz-laravel-html-tidy)[chrisshick/cakephp3-html-purifier

This is a CakePHP3 Purifier Plugin Behavior that cleanses data before it is marshalled into the entity.

12168.1k](/packages/chrisshick-cakephp3-html-purifier)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)