About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

HTML Purifier

Thu, 28 Jun 2007 at 05:26:29 GMT
4 Comments
References

I've been focusing on work and neglecting my blog lately, but I want to take a moment to highlight HTML Purifier, a tool developed by Edward Yang. Edward contacted me a few days ago to let me know that he has just released version 2.0, and because this post is tardy, version 2.0.1 is already available.

What is HTML Purifier? In Edward's own words:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

I feel comfortable recommending HTML Purifier based on its solid theory of operation as well as its ability to safely handle the XSS Cheat Sheet in its entirety. (Try for yourself.)

HTML Purifier enforces standards, and Edward has explained why this approach is valuable:

I've previously proposed that by insisting standards compliance, you protect yourself against browser quirks. While there wasn't that much discussion on it, I think that it is very possible to do HTML safely.

This is where HTML Purifier really shines. (There are additional reasons to choose it.) Because standards-compliant markup has a limited amount of wiggle room for crafting tricky XSS exploits, enforcing standards can tame a practically unmanageable problem.

I'll probably be talking about HTML Purifier more in the future. In the meantime, perhaps you'd like to try to break it. :-)

About This Post

HTML Purifier was posted on Thu, 28 Jun 2007 at 05:26:29 GMT.

4 Comments

1. Chris Shiflett said:

Christian Matthies has posted an interview with Edward:

http://christ1an.blogspot.com/2007/...ard-z-yang.html
Thu, 28 Jun 2007 at 20:45:27 GMT Link

2. Luke said:

Excellent! This is an amazing library. :)
Fri, 29 Jun 2007 at 00:18:47 GMT Link

3. Mindloop said:

I've been playing around a bit with HTMLPurifier and have been trying to get some XSS to pass trough, no luck so far.

Also wrote a quick guide for those that want to use HTMLPurifier in the codeigniter framework
Thu, 05 Jul 2007 at 20:20:53 GMT Link

4. Santosh Patnaik said:

htmLawed is a new PHP script like HTML Purifier that can be used to make HTML in input text more secure and standard-compliant, and to administratively restrict HTML elements, attributes, etc. It is a single file script of ~45 kb with low memory usage, and is highly customizable.
Thu, 15 Nov 2007 at 18:11:02 GMT Link

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Chris Shiflett wrote:: Hi John, How do you avoid race conditions with this? The findandmodify() command is atomic,...; Posted in Auto Increment with MongoDB
John Judy wrote:: How do you avoid race conditions with this? Once you get to a certain traffic volume two or more ...; Posted in Auto Increment with MongoDB
Chris Shiflett wrote:: Hey Ivo, Andrei is best suited to give a full response, since he's the one who researched this...; Posted in Auto Increment with MongoDB
Ivo wrote:: Although you did mention that you werent going to discuss the why, I can't think of a single vali...; Posted in Auto Increment with MongoDB
Stikkyfinger wrote:: Jon Gibbins plays a mean guitar? I'd be interested to know what he plays and what type of guitar ...; Posted in Hello, Analog