PHPackages                             voku/anti-xss - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. voku/anti-xss

ActiveLibrary[Security](/categories/security)

voku/anti-xss
=============

anti xss-library

4.1.43(2mo ago)72817.9M↓33.7%118[1 issues](https://github.com/voku/anti-xss/issues)[1 PRs](https://github.com/voku/anti-xss/pulls)20MITPHPPHP &gt;=7.0.0CI passing

Since Mar 13Pushed 1mo ago27 watchersCompare

[ Source](https://github.com/voku/anti-xss)[ Packagist](https://packagist.org/packages/voku/anti-xss)[ Docs](https://github.com/voku/anti-xss)[ Fund](https://www.paypal.me/moelleken)[ GitHub Sponsors](https://github.com/voku)[ RSS](/packages/voku-anti-xss/feed)WikiDiscussions master Synced 3d ago

READMEChangelogDependencies (4)Versions (155)Used By (20)

[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)

[![Build Status](https://github.com/voku/anti-xss/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/voku/anti-xss/actions)[![codecov.io](https://camo.githubusercontent.com/ba36a8a85a7809240240480dc1f33e10cf4cc8f2975cb476b1c1aebf4ea1d146/687474703a2f2f636f6465636f762e696f2f6769746875622f766f6b752f616e74692d7873732f636f7665726167652e7376673f6272616e63683d6d6173746572)](http://codecov.io/github/voku/anti-xss?branch=master)[![Codacy Badge](https://camo.githubusercontent.com/0a9e26de62a3209b8fb0273bc3c56dcef5d80aad1c2d9b4a83bceadabcad2a63/68747470733a2f2f6170692e636f646163792e636f6d2f70726f6a6563742f62616467652f47726164652f3865336339646134313731323439373162386438653063313034366332346337)](https://www.codacy.com/app/voku/anti-xss)[![Latest Stable Version](https://camo.githubusercontent.com/9e369d5ded6cec3dee1a220ac07dfc0c92ef07fe64a1fcd725bf653ae77f1c0c/68747470733a2f2f706f7365722e707567782e6f72672f766f6b752f616e74692d7873732f762f737461626c65)](https://packagist.org/packages/voku/anti-xss)[![Total Downloads](https://camo.githubusercontent.com/0a45a1a0a00a83243cbc9b057bd67d9892bdd7f70725225086c9c518d0bf82e3/68747470733a2f2f706f7365722e707567782e6f72672f766f6b752f616e74692d7873732f646f776e6c6f616473)](https://packagist.org/packages/voku/anti-xss)[![License](https://camo.githubusercontent.com/04f8ffdc0137cf191f2363b8ddea80319ec262debabe74cfe4ae2e044f9eba6e/68747470733a2f2f706f7365722e707567782e6f72672f766f6b752f616e74692d7873732f6c6963656e7365)](https://packagist.org/packages/voku/anti-xss)[![Donate to this project using Paypal](https://camo.githubusercontent.com/0d6e4d8b50b5983a58205941b1a581b1305903393b7a39da574e3f60af3c7f5b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f70617970616c2d646f6e6174652d79656c6c6f772e737667)](https://www.paypal.me/moelleken)[![Donate to this project using Patreon](https://camo.githubusercontent.com/f9e075baad95563481d35174d43ef50757281abb6bc795d0f473fad452afa030/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f70617472656f6e2d646f6e6174652d79656c6c6f772e737667)](https://www.patreon.com/voku)

㊙️ AntiXSS
==========

[](#secret-antixss)

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007." - [http://en.wikipedia.org/wiki/Cross-site\_scripting](http://en.wikipedia.org/wiki/Cross-site_scripting)

### DEMO:

[](#demo)

### NOTES:

[](#notes)

1. Use [filter\_input()](http://php.net/manual/de/function.filter-input.php) - don't use GLOBAL-Array (e.g. $\_SESSION, $\_GET, $\_POST, $\_SERVER) directly
2. Use [html-sanitizer](https://github.com/tgalopin/html-sanitizer) or [HTML Purifier](http://htmlpurifier.org/) if you need a more configurable solution
3. Add "Content Security Policy's" -&gt; [Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
4. DO NOT WRITE YOUR OWN REGEX TO PARSE HTML!
5. READ THIS TEXT -&gt; [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)
6. TEST THIS TOOL -&gt; [Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)

### Disable automatic encoding changes

[](#disable-automatic-encoding-changes)

This package depends on `voku/portable-utf8`, which sets `default_charset` to `UTF-8` via `ini_set()` during autoloading.

If you need to prevent this behavior, define the following constant **before** loading the Composer autoloader:

```
define('PORTABLE_UTF8__DISABLE_AUTO_ENCODING', true);
require_once __DIR__ . '/vendor/autoload.php';
```

### Install via "composer require"

[](#install-via-composer-require)

```
composer require voku/anti-xss
```

### Usage:

[](#usage)

```
use voku\helper\AntiXSS;

require_once __DIR__ . '/vendor/autoload.php'; // example path

$antiXss = new AntiXSS();
```

Example 1: (HTML Character)

```
$harm_string = "Hello, i try to alert('Hack'); your site";
$harmless_string = $antiXss->xss_clean($harm_string);

// Hello, i try to alert&#40;'Hack'&#41;; your site
```

Example 2: (Hexadecimal HTML Character)

```
$harm_string = "";
$harmless_string = $antiXss->xss_clean($harm_string);

//
```

Example 3: (Unicode Hex Character)

```
$harm_string = "CLICK";
$harmless_string = $antiXss->xss_clean($harm_string);

// CLICK
```

Example 4: (Unicode Character)

```
$harm_string = "CLICK";
$harmless_string = $antiXss->xss_clean($harm_string);

// CLICK
```

Example 5.1: (non Inline CSS)

```
$harm_string = '';
$harmless_string = $antiXss->xss_clean($harm_string);

//
```

Example 5.2: (with Inline CSS)

```
$harm_string = '';
$antiXss->removeEvilAttributes(array('style')); // allow style-attributes
$harmless_string = $antiXss->xss_clean($harm_string);

//
```

Example 6: (check if an string contains a XSS attack)

```
$harm_string = "\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e";
$harmless_string = $antiXss->xss_clean($harm_string);

//

$antiXss->isXssFound();

// true
```

Example 7: (allow e.g. iframes)

```
$harm_string = "";

$antiXss->removeEvilHtmlTags(array('iframe'));

$harmless_string = $antiXss->xss_clean($harm_string);

//
```

### Unit Test:

[](#unit-test)

1. [Composer](https://getcomposer.org) is a prerequisite for running the tests.

```
composer install

```

2. The tests can be executed by running this command from the root directory:

```
XDEBUG_MODE=coverage ./vendor/bin/phpunit -c phpunit.xml
```

### Mutation testing with static analysis:

[](#mutation-testing-with-static-analysis)

CI runs [Infection](https://infection.github.io/) with PHPStan integration on the PHP 8.3 pull-request job. This uses `infection.json5.dist`, requires 100% MSI on the mutated diff, and fails on any timed-out mutant so sanitizer loops cannot silently regress.

To run the same toolchain locally on PHP 8.3+:

```
composer config --no-plugins allow-plugins.infection/extension-installer true
composer require --dev phpstan/phpstan:^2.1 infection/infection:^0.32.7 --no-update
composer update
XDEBUG_MODE=coverage ./vendor/bin/infection --configuration=infection.json5.dist
```

### Prompt for future LLM dictionary checks

[](#prompt-for-future-llm-dictionary-checks)

Use this prompt when you want an LLM to expand regression coverage around AntiXSS dictionaries without manually copying them into tests:

```
You are working in the voku/anti-xss repository.

1. Run the current PHPUnit suite first with:
   XDEBUG_MODE=coverage ./vendor/bin/phpunit -c phpunit.xml
2. Inspect /src/voku/helper/AntiXSS.php for dictionary-style private arrays such as:
   - _never_allowed_on_events_afterwards
   - _evil_attributes_regex
   - _naughty_javascript_patterns
   - _naughty_javascript_patterns_strict
   - _never_allowed_str_afterwards
3. For each dictionary that has a safe generic assertion shape, add or extend provider-based tests that iterate every current entry automatically.
4. Prefer reflection-backed test providers over copying the source dictionaries into test files, so newly added entries are covered automatically.
5. For each dictionary, test both the intended blocking behavior and at least one important boundary rule when relevant (for example strict vs. whitespace-separated JavaScript callbacks, or executable vs. non-executable event attribute forms).
6. Make the smallest possible production change only if the expanded dictionary coverage exposes a real regression.
7. Re-run PHPUnit after each small step and continue iterating across the targeted dictionaries until you find and fix at least one real regression for the task, or confirm that the remaining dictionaries are already covered.

```

AntiXss methods
---------------

[](#antixss-methods)

[addDoNotCloseHtmlTags](#adddonotclosehtmltagsstring-strings-this)[addEvilAttributes](#addevilattributesstring-strings-this)[addEvilHtmlTags](#addevilhtmltagsstring-strings-this)[addNeverAllowedCallStrings](#addneverallowedcallstringsstring-strings-this)[addNeverAllowedJsCallbackRegex](#addneverallowedjscallbackregexstring-strings-this)[addNeverAllowedOnEventsAfterwards](#addneverallowedoneventsafterwardsstring-strings-this)[addNeverAllowedRegex](#addneverallowedregexstring-strings-this)[addNeverAllowedStrAfterwards](#addneverallowedstrafterwardsstring-strings-this)[addNaughtyJavascriptPatterns](#addnaughtyjavascriptpatterns-strings-this)[isXssFound](#isxssfound-boolnull)[removeDoNotCloseHtmlTags](#removedonotclosehtmltagsstring-strings-this)[removeEvilAttributes](#removeevilattributesstring-strings-this)[removeEvilHtmlTags](#removeevilhtmltagsstring-strings-this)[removeNeverAllowedCallStrings](#removeneverallowedcallstringsstring-strings-this)[removeNeverAllowedJsCallbackRegex](#removeneverallowedjscallbackregexstring-strings-this)[removeNeverAllowedOnEventsAfterwards](#removeneverallowedoneventsafterwardsstring-strings-this)[removeNeverAllowedRegex](#removeneverallowedregexstring-strings-this)[removeNeverAllowedStrAfterwards](#removeneverallowedstrafterwardsstring-strings-this)[setKeepPreAndCodeTagContent](#setkeeppreandcodetagcontentbool-bool-this)[setReplacement](#setreplacementstring-string-this)[setStripe4byteChars](#setstripe4bytecharsbool-bool-this)[xss\_clean](#xss_cleanstringstring-str-stringstring)addDoNotCloseHtmlTags(string\[\] $strings): $this
-------------------------------------------------

[](#adddonotclosehtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_do\_not\_close\_html\_tags"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addEvilAttributes(string\[\] $strings): $this
---------------------------------------------

[](#addevilattributesstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_evil\_attributes"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addEvilHtmlTags(string\[\] $strings): $this
-------------------------------------------

[](#addevilhtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_evil\_html\_tags"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedCallStrings(string\[\] $strings): $this
------------------------------------------------------

[](#addneverallowedcallstringsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_call\_strings"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedJsCallbackRegex(string\[\] $strings): $this
----------------------------------------------------------

[](#addneverallowedjscallbackregexstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_js\_callback\_regex"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedOnEventsAfterwards(string\[\] $strings): $this
-------------------------------------------------------------

[](#addneverallowedoneventsafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_on\_events\_afterwards"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedRegex(string\[\] $strings): $this
------------------------------------------------

[](#addneverallowedregexstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_regex"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNeverAllowedStrAfterwards(string\[\] $strings): $this
--------------------------------------------------------

[](#addneverallowedstrafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_never\_allowed\_str\_afterwards"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

addNaughtyJavascriptPatterns(string\[\] $strings): $this
--------------------------------------------------------

[](#addnaughtyjavascriptpatternsstring-strings-this)

[↑](#voku-php-readme-class-methods)Add some strings to the "\_naughty\_javascript\_patterns"-array.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

isXssFound(): bool|null
-----------------------

[](#isxssfound-boolnull)

[↑](#voku-php-readme-class-methods)Check if the "AntiXSS-&gt;xss\_clean()"-method found an XSS attack in the last run.

**Parameters:****nothing**

**Return:**

- `bool|null Will return null if the "xss_clean()" wasn't running at all.`

---

removeDoNotCloseHtmlTags(string\[\] $strings): $this
----------------------------------------------------

[](#removedonotclosehtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_do\_not\_close\_html\_tags"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeEvilAttributes(string\[\] $strings): $this
------------------------------------------------

[](#removeevilattributesstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_evil\_attributes"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeEvilHtmlTags(string\[\] $strings): $this
----------------------------------------------

[](#removeevilhtmltagsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_evil\_html\_tags"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedCallStrings(string\[\] $strings): $this
---------------------------------------------------------

[](#removeneverallowedcallstringsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_call\_strings"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedJsCallbackRegex(string\[\] $strings): $this
-------------------------------------------------------------

[](#removeneverallowedjscallbackregexstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_js\_callback\_regex"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedOnEventsAfterwards(string\[\] $strings): $this
----------------------------------------------------------------

[](#removeneverallowedoneventsafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_on\_events\_afterwards"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedRegex(string\[\] $strings): $this
---------------------------------------------------

[](#removeneverallowedregexstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_regex"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

removeNeverAllowedStrAfterwards(string\[\] $strings): $this
-----------------------------------------------------------

[](#removeneverallowedstrafterwardsstring-strings-this)

[↑](#voku-php-readme-class-methods)Remove some strings from the "\_never\_allowed\_str\_afterwards"-array.

WARNING: Use this method only if you have a really good reason.

**Parameters:**

- `string[] $strings`

**Return:**

- `$this`

---

setReplacement(string $string): $this
-------------------------------------

[](#setreplacementstring-string-this)

[↑](#voku-php-readme-class-methods)Set the replacement-string for not allowed strings.

**Parameters:**

- `string $string`

**Return:**

- `$this`

---

setKeepPreAndCodeTagContent(bool $bool): $this
----------------------------------------------

[](#setkeeppreandcodetagcontentbool-bool-this)

[↑](#voku-php-readme-class-methods)Set the option to preserve content inside "pre" and "code" tags.

WARNING: Enable this only if you explicitly want literal code-like text in "pre" / "code" blocks to remain untouched.

**Parameters:**

- `bool $bool`

**Return:**

- `$this`

---

setStripe4byteChars(bool $bool): $this
--------------------------------------

[](#setstripe4bytecharsbool-bool-this)

[↑](#voku-php-readme-class-methods)Set the option to stripe 4-Byte chars.

INFO: use it if your DB (MySQL) can't use "utf8mb4" -&gt; preventing stored XSS-attacks

**Parameters:**

- `bool $bool`

**Return:**

- `$this`

---

xss\_clean(string|string\[\] $str): string|string\[\]
-----------------------------------------------------

[](#xss_cleanstringstring-str-stringstring)

[↑](#voku-php-readme-class-methods)XSS Clean

Sanitizes data so that "Cross Site Scripting" hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. But keep in mind that nothing is ever 100% foolproof...

**Note:** Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

**Parameters:**

- `TXssCleanInput $str input data e.g. string or array of strings`

**Return:**

- `string|string[]`

---

### Support

[](#support)

For support and donations please visit [Github](https://github.com/voku/anti-xss/) | [Issues](https://github.com/voku/anti-xss/issues) | [PayPal](https://paypal.me/moelleken) | [Patreon](https://www.patreon.com/voku).

For status updates and release announcements please visit [Releases](https://github.com/voku/anti-xss/releases) | [Twitter](https://twitter.com/suckup_de) | [Patreon](https://www.patreon.com/voku/posts).

For professional support please contact [me](https://about.me/voku).

### Thanks

[](#thanks)

- Thanks to [GitHub](https://github.com) (Microsoft) for hosting the code and a good infrastructure including Issues-Managment, etc.
- Thanks to [IntelliJ](https://www.jetbrains.com) as they make the best IDEs for PHP and they gave me an open source license for PhpStorm!
- Thanks to [Travis CI](https://travis-ci.com/) for being the most awesome, easiest continous integration tool out there!
- Thanks to [StyleCI](https://styleci.io/) for the simple but powerfull code style check.
- Thanks to [PHPStan](https://github.com/phpstan/phpstan) &amp;&amp; [Psalm](https://github.com/vimeo/psalm) for relly great Static analysis tools and for discover bugs in the code!

### License

[](#license)

[![FOSSA Status](https://camo.githubusercontent.com/a00d4011718395631cb29883db5cd3b10ae23aae3b3e7426095b82650345bdd3/68747470733a2f2f6170702e666f7373612e696f2f6170692f70726f6a656374732f6769742532426769746875622e636f6d253246766f6b75253246616e74692d7873732e7376673f747970653d6c61726765)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvoku%2Fanti-xss?ref=badge_large)

###  Health Score

73

—

ExcellentBetter than 100% of packages

Maintenance89

Actively maintained with recent releases

Popularity70

Solid adoption and visibility

Community46

Growing community involvement

Maturity76

Established project with proven stability

 Bus Factor1

Top contributor holds 70.9% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~38 days

Recently: every ~376 days

Total

106

Last Release

73d ago

Major Versions

2.1.7 → 3.0.02017-11-19

2.2.0 → 4.0.02017-12-23

2.2.1 → 4.0.32018-04-12

2.2.2 → 4.1.02018-04-17

2.3.1 → 4.1.12018-04-26

PHP version history (2 changes)1.0PHP &gt;=5.3.0

3.0.0PHP &gt;=7.0.0

### Community

Maintainers

![](https://www.gravatar.com/avatar/6456fe693db197c458272cb758bf78958bc7d3e787ccd59db4bf3cf41654316a?d=identicon)[voku](/maintainers/voku)

---

Top Contributors

[![voku](https://avatars.githubusercontent.com/u/264695?v=4)](https://github.com/voku "voku (404 commits)")[![Copilot](https://avatars.githubusercontent.com/in/1143301?v=4)](https://github.com/Copilot "Copilot (109 commits)")[![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4)](https://github.com/renovate[bot] "renovate[bot] (12 commits)")[![renovate-bot](https://avatars.githubusercontent.com/u/25180681?v=4)](https://github.com/renovate-bot "renovate-bot (9 commits)")[![StyleCIBot](https://avatars.githubusercontent.com/u/11048387?v=4)](https://github.com/StyleCIBot "StyleCIBot (7 commits)")[![scrutinizer-auto-fixer](https://avatars.githubusercontent.com/u/6253494?v=4)](https://github.com/scrutinizer-auto-fixer "scrutinizer-auto-fixer (5 commits)")[![gharlan](https://avatars.githubusercontent.com/u/330436?v=4)](https://github.com/gharlan "gharlan (4 commits)")[![Fahl-Design](https://avatars.githubusercontent.com/u/6690962?v=4)](https://github.com/Fahl-Design "Fahl-Design (4 commits)")[![peter-mw](https://avatars.githubusercontent.com/u/5698247?v=4)](https://github.com/peter-mw "peter-mw (4 commits)")[![kingbin](https://avatars.githubusercontent.com/u/221555?v=4)](https://github.com/kingbin "kingbin (3 commits)")[![mend-bolt-for-github[bot]](https://avatars.githubusercontent.com/in/16809?v=4)](https://github.com/mend-bolt-for-github[bot] "mend-bolt-for-github[bot] (1 commits)")[![Chris8934](https://avatars.githubusercontent.com/u/44963939?v=4)](https://github.com/Chris8934 "Chris8934 (1 commits)")[![fossabot](https://avatars.githubusercontent.com/u/29791463?v=4)](https://github.com/fossabot "fossabot (1 commits)")[![intoeetive](https://avatars.githubusercontent.com/u/752126?v=4)](https://github.com/intoeetive "intoeetive (1 commits)")[![josh-gaby](https://avatars.githubusercontent.com/u/28797673?v=4)](https://github.com/josh-gaby "josh-gaby (1 commits)")[![c-harris](https://avatars.githubusercontent.com/u/16450074?v=4)](https://github.com/c-harris "c-harris (1 commits)")[![ScullWM](https://avatars.githubusercontent.com/u/1017746?v=4)](https://github.com/ScullWM "ScullWM (1 commits)")[![tetreum](https://avatars.githubusercontent.com/u/1708730?v=4)](https://github.com/tetreum "tetreum (1 commits)")[![thekondrashov](https://avatars.githubusercontent.com/u/8389542?v=4)](https://github.com/thekondrashov "thekondrashov (1 commits)")

---

Tags

composerhacktoberfesthtml-characterphpxssxss-attackssecuritycleanxssanti-xss

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/voku-anti-xss/health.svg)

```
[![Health](https://phpackages.com/badges/voku-anti-xss/health.svg)](https://phpackages.com/packages/voku-anti-xss)
```

###  Alternatives

[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k18.7M143](/packages/mews-purifier)[akaunting/laravel-firewall

Web Application Firewall (WAF) package for Laravel

1.0k508.9k2](/packages/akaunting-laravel-firewall)[luketowers/purifier

Laravel 5 HtmlPurifier Package

3380.1k9](/packages/luketowers-purifier)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
