PHPackages                             wackowiki/safehtml - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation & Sanitization](/categories/validation)
4. /
5. wackowiki/safehtml

ActiveLibrary[Validation & Sanitization](/categories/validation)

wackowiki/safehtml
==================

SafeHTML is an HTML filter that sanitizes potentially dangerous content, protecting against XSS and other injection attacks by removing harmful tags, attributes, protocols, and CSS expressions.

00PHP

Since Jun 13Pushed todayCompare

[ Source](https://github.com/WackoWiki/safehtml)[ Packagist](https://packagist.org/packages/wackowiki/safehtml)[ RSS](/packages/wackowiki-safehtml/feed)WikiDiscussions main Synced today

READMEChangelog (2)DependenciesVersions (1)Used By (0)

SafeHTML
========

[](#safehtml)

**SafeHTML** is a defensive HTML filter for PHP that strips down all potentially dangerous content within HTML to protect against **XSS**(Cross-Site Scripting) and other code-injection attacks.

It is a continuation of the original `HTML_Safe` parser by Roman Ivanov, maintained by the [WackoWiki](https://wackowiki.org) project.

---

Features
--------

[](#features)

- Removes dangerous tags: ``, ``, ``, ``, ``, ``, ``, ``, ``, etc.
- Removes dangerous attributes: any `on*` event handler, `data-*`, `id`, `name`, `dynsrc`, etc.
- Filters URL protocols in attributes such as `href`, `src`, `action` — defaults to a **whitelist** (`http`, `https`, `mailto`, `ftp`, …), with optional **blacklist** mode.
- Strips dangerous CSS keywords from inline `style=""` attributes (`expression`, `behavior`, `moz-binding`, …).
- Normalises **UTF-7** obfuscation tricks used by spammers.
- Escapes stray `