PHPackages                             typo3/html-sanitizer - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation & Sanitization](/categories/validation)
4. /
5. typo3/html-sanitizer

ActiveLibrary[Validation & Sanitization](/categories/validation)

typo3/html-sanitizer
====================

HTML sanitizer aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.

v2.2.0(1y ago)279.6M—3.6%15[2 PRs](https://github.com/TYPO3/html-sanitizer/pulls)2MITPHPPHP ^7.2 || ^8.0CI passing

Since Jul 6Pushed 9mo ago8 watchersCompare

[ Source](https://github.com/TYPO3/html-sanitizer)[ Packagist](https://packagist.org/packages/typo3/html-sanitizer)[ RSS](/packages/typo3-html-sanitizer/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (10)Dependencies (3)Versions (38)Used By (2)Security (4)

[![tests](https://github.com/TYPO3/html-sanitizer/actions/workflows/tests.yml/badge.svg)](https://github.com/TYPO3/html-sanitizer/actions/workflows/tests.yml/badge.svg)

TYPO3 HTML Sanitizer
====================

[](#typo3-html-sanitizer)

> ℹ️ Common safe HTML tags & attributes as given in [`\TYPO3\HtmlSanitizer\Builder\CommonBuilder`](src/Builder/CommonBuilder.php)still might be adjusted, extended or rearranged to more specific builders.

In a Nutshell
-------------

[](#in-a-nutshell)

This `typo3/html-sanitizer` package aims to be a standalone component that can be used by any PHP-based project or library. Albeit it is released within the TYPO3 namespace, it is agnostic to specifics of [TYPO3 CMS](https://github.com/typo3/typo3).

- [`\TYPO3\HtmlSanitizer\Behavior`](src/Behavior.php) contains declarative settings for a particular process for sanitizing HTML.
- [`\TYPO3\HtmlSanitizer\Visitor\VisitorInterface`](src/Visitor/VisitorInterface.php)(multiple different visitors can exist at the same time) are actually doing the work based on the declared `Behavior`. Visitors can modify nodes or mark them for deletion.
- [`\TYPO3\HtmlSanitizer\Sanitizer`](src/Sanitizer.php) can be considered as the working instance, invoking visitors, parsing and serializing HTML. In general this instance does not contain much logic on how to handle particular nodes, attributes or values
- [`\TYPO3\HtmlSanitizer\Builder\BuilderInterface`](src/Builder/BuilderInterface.php) can be used to create multiple different builder instances - in terms of "presets" - which combine declaring a particular `Behavior`, initialization of `VisitorInterface` instances, and finally returning a ready-to-use `Sanitizer` instance

Installation
------------

[](#installation)

```
composer req typo3/html-sanitizer
```

Example & API
-----------------

[](#example--api)

```