Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Purify
Assessments

Purify Laravel Package

stevebauman/purify

Laravel wrapper for HTMLPurifier to sanitize user-submitted HTML. Clean strings or arrays via a simple facade, with support for dynamic per-call configuration, published config, and caching options to keep output safe and consistent.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Security Compliance: Enables strict HTML sanitization to prevent XSS attacks, aligning with OWASP guidelines and regulatory requirements (e.g., GDPR, PCI-DSS).
  • Rich Text Editing: Supports integration with WYSIWYG editors (e.g., Trix, CKEditor) by allowing custom HTML definitions for editor-specific attributes (e.g., data-trix-*).
  • Multi-Channel Content: Facilitates consistent sanitization across web, email, and API responses by defining reusable configurations (e.g., comments, posts).
  • Performance Optimization: Reduces runtime overhead by caching HTMLPurifier definitions, critical for high-traffic applications (e.g., news sites, forums).
  • Developer Experience: Eliminates manual sanitization logic (e.g., strip_tags, regex) with a declarative, Laravel-native solution, reducing technical debt.
  • Future-Proofing: Supports dynamic configuration per request or model attribute, enabling granular control over sanitization rules without refactoring.
  • Build vs. Buy: Avoids reinventing HTML sanitization wheels (e.g., custom regex, DOM parsing) while offering extensibility for edge cases (e.g., custom elements like <figure> for Trix).

When to Consider This Package

  • Adopt if:

    • Your app accepts user-generated HTML (e.g., comments, rich text fields, CMS content).
    • You need consistent sanitization across multiple environments (web, API, email).
    • Your team uses Laravel and wants to avoid low-level HTMLPurifier setup.
    • You require custom HTML/CSS rules (e.g., for WYSIWYG editors like Trix or Quill).
    • Security audits flag XSS vulnerabilities in user input.

  • Look elsewhere if:

    • You’re using a non-Laravel framework (e.g., Django, Rails) or need a pure PHP solution without Laravel wrappers.
    • Your use case is simple (e.g., only allowing basic text with no HTML) and strip_tags() suffices.
    • You need real-time sanitization (e.g., for live preview) and caching adds latency.
    • Your app has extremely low traffic and performance overhead is negligible.
    • You require advanced JavaScript sanitization (e.g., for <script> tags in SPAs).

How to Pitch It (Stakeholders)

For Executives/Business Leaders

"This package lets us safely enable rich user content (e.g., formatted comments, editor posts) without exposing our app to XSS attacks. It’s like a ‘security firewall’ for HTML input—automatically blocking malicious scripts while preserving safe formatting. For example, we can let users write in Trix or CKEditor without worrying about hackers injecting code. It’s already used by high-traffic sites and integrates seamlessly with Laravel, reducing dev time and risk."

Key Outcomes:

  • Mitigate security risks (XSS vulnerabilities) in user-generated content.
  • Enable richer user experiences (e.g., WYSIWYG editors) without compromising safety.
  • Reduce maintenance costs by centralizing sanitization logic and avoiding ad-hoc fixes.

For Engineering Teams

*"This is a batteries-included Laravel wrapper for HTMLPurifier, the gold standard for HTML sanitization. It solves:

  1. Security: Automatically strips malicious scripts/HTML while preserving safe markup.
  2. Flexibility: Supports custom rules for editors (e.g., Trix, Quill) via extensible definitions.
  3. Performance: Caches definitions to avoid reprocessing on every request.
  4. Consistency: Reusable configs for different content types (e.g., comments, posts).

Why not roll our own?

  • HTMLPurifier is battle-tested (used by Wikipedia, Drupal).
  • Avoids regex/DOM parsing pitfalls (e.g., false positives/negatives).
  • Laravel-native: Works with Eloquent casts, Facades, and config files.

Example Use Cases:

  • Sanitize comments/forum posts on-the-fly.
  • Clean rich text from a CMS before rendering.
  • Whitelist specific HTML for WYSIWYG editors (e.g., Trix’s data-trix-* attributes).

Trade-offs:

  • Minor cold-start latency (first request caches definitions).
  • Requires PHP 7.4+ and Laravel 7+.

Next Steps:

  1. Add to composer.json and publish the config.
  2. Define sanitization rules per content type (e.g., config/purify.php).
  3. Use the PurifyHtmlOnGet cast for Eloquent models or call Purify::clean() manually.

Let’s demo how it handles a malicious payload vs. safe Trix HTML!"*

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hamzi/corewatch
minionfactory/raw-hydrator
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope