Htmlpurifier Bundle Laravel Package

Product Decisions This Supports

• Security-Critical User-Generated Content (UGC) Handling: Enables safe sanitization of HTML input from users (e.g., comments, forum posts, rich-text editors) to prevent XSS attacks, aligning with compliance requirements (GDPR, PCI-DSS).
• Roadmap for Scalable Content Moderation: Foundational layer for future features like dynamic whitelisting (e.g., allowing <img> tags only for verified users) or integration with AI moderation tools.
• Build vs. Buy: Avoids reinventing HTML sanitization wheels; leverages battle-tested HTMLPurifier (used by WordPress, Drupal) while abstracting Symfony integration.
• Use Cases:
  • Public Facing: Blogs, Q&A platforms, or wikis where users submit HTML.
  • Internal Tools: Employee portals or intranets with rich-text fields.
  • Legacy Migration: Replacing ad-hoc sanitization (e.g., strip_tags()) with a configurable, maintainable solution.

When to Consider This Package

• Avoid if:
  • Your app doesn’t accept HTML input (e.g., pure text fields). Overkill for simple text sanitization (use htmlspecialchars or Symfony\Component\String\UnicodeStringHelper instead).
  • You need real-time validation (e.g., during form submission). This is a post-processing tool; pair with Symfony’s Validator for pre-submission checks.
  • Your stack isn’t Symfony/Laravel. For non-Symfony PHP, use HTMLPurifier standalone.
  • You require custom DOM manipulation (e.g., rewriting URLs). Consider DOMDocument or Symfony’s Crawler.
• Consider alternatives if:
  • You need lightweight sanitization (e.g., for URLs/emails): Use paragonie/sanitizer.
  • You’re in a high-performance environment (e.g., CLI scripts): HTMLPurifier has overhead; evaluate PHP’s filter_var for simple cases.
  • Your team lacks Symfony expertise: The bundle adds minor complexity (configuration, service injection).

How to Pitch It (Stakeholders)

For Executives: "This package lets us safely enable HTML in user content—like rich-text comments or forum posts—without exposing our app to security risks. It’s like a ‘sanitizer firewall’ for web content, used by major platforms like WordPress. Low maintenance (one Composer install), high trust (battle-tested library), and future-proof for features like user-specific HTML rules. Minimal dev effort, massive security upside."

For Engineering: *"The ExerciseHTMLPurifierBundle integrates HTMLPurifier into Symfony with zero boilerplate. Key benefits:

• Security: Blocks XSS by default; configurable to allow safe tags (e.g., <b>, <a>).
• Performance: Caches purified HTML to avoid reprocessing identical input.
• Flexibility: Define multiple profiles (e.g., strict for admin content, relaxed for trusted users).
• Symfony-Native: Works with dependency injection, Twig, and forms out of the box. Tradeoff: ~500KB overhead (one-time cost). Recommended for any project handling HTML input from untrusted sources."*

For Developers: *"To use:

1. Install: composer require exercise/htmlpurifier-bundle.
2. Configure in config/packages/exercise_html_purifier.yaml (or use defaults).
3. Inject the exercise_html_purifier.default service or use the Twig filter {{ content|purify }}. Example use case: Sanitize a user’s comment before saving to the DB:

$cleanHtml = $purifier->purify($userInput);

Pro tip: Extend the default config to whitelist specific tags for your use case (e.g., allow <img> but block <script>)."*