Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Purify
Assessments

Purify Laravel Package

stevebauman/purify

Laravel wrapper for HTMLPurifier to sanitize user-submitted HTML. Clean strings or arrays via a simple facade, with support for dynamic per-call configuration, published config, and caching options to keep output safe and consistent.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Laravel Native Integration: The package is a Laravel-specific wrapper for HTMLPurifier, leveraging Laravel’s service provider, facade, and configuration systems. This ensures seamless integration with Laravel’s ecosystem (e.g., dependency injection, configuration publishing, and Artisan commands).
  • Modular Design: Supports multiple configuration sets (e.g., default, comments), enabling granular control over sanitization rules per use case (e.g., user-generated content vs. admin panels).
  • Extensibility: Allows custom HTML/CSS definitions via interfaces (Definition, CssDefinition), making it adaptable to niche requirements (e.g., Trix editor support, custom elements/attributes).
  • Caching Layer: Built-in caching for HTMLPurifier’s serialized definitions improves performance in production, with configurable cache backends (filesystem, Redis, etc.).

Integration Feasibility

  • Low Friction: Installation is straightforward (composer require, vendor:publish), with minimal boilerplate. The facade (Purify) provides a clean API for sanitization.
  • Backward Compatibility: Supports Laravel 7+ and PHP 7.4+, with clear upgrade paths (e.g., v4→v5 migration guide). Compatible with modern Laravel features (e.g., Eloquent casts in v10+).
  • Dependency Risks: Relies on ezyang/htmlpurifier (v4.16+), which is stable but may introduce breaking changes in minor updates. The package abstracts most of these risks, but TPMs should monitor upstream updates.
  • Testing Overhead: Requires testing edge cases (e.g., malformed HTML, XSS vectors) to validate configuration rules. The package includes a test suite, but custom definitions may need additional validation.

Technical Risk

  • Configuration Complexity: HTMLPurifier’s settings are verbose and require deep understanding to avoid over/under-sanitization. Misconfigurations (e.g., allowing unsafe attributes like onclick) could introduce vulnerabilities.
  • Performance: Caching mitigates repeated serialization costs, but custom definitions or large-scale sanitization (e.g., bulk API responses) may strain memory. Benchmarking is recommended for high-throughput systems.
  • Custom Logic: Extending definitions (e.g., for Trix editor) requires PHP knowledge of HTMLPurifier’s internals. Poorly implemented custom rules could break sanitization.
  • Deprecation Risk: While stevebauman/purify is actively maintained, htmlpurifier is a long-standing library with occasional breaking changes. Monitor for Laravel 11+ compatibility if upgrading.

Key Questions

  1. Use Case Alignment:
    • Are sanitization rules uniform across the app, or do different contexts (e.g., comments vs. admin content) require distinct configurations?
    • Will custom HTML/CSS definitions be needed (e.g., for WYSIWYG editors like Trix)?
  2. Performance Requirements:
    • What is the expected volume of sanitized content (e.g., per request, batch processing)?
    • Is caching enabled, and which backend (filesystem/Redis) is preferred?
  3. Security Trade-offs:
    • Are there legitimate use cases for allowing inline styles or custom attributes (e.g., data-*)? If so, how will these be audited?
    • Will sanitization occur on input (onSet) or output (onGet)? (Package recommends onGet for flexibility.)
  4. Maintenance:
    • Who will own the configuration (e.g., security team, frontend devs) and how will changes be reviewed?
    • Are there plans to extend the package (e.g., custom middleware, API resources)?
  5. Compatibility:
    • Does the app use Laravel’s Eloquent models? If so, will PurifyHtmlOnGet casts be leveraged?
    • Are there existing sanitization libraries (e.g., DOMParser, htmlentities) that could conflict?

Integration Approach

Stack Fit

  • Laravel Ecosystem: Ideal for Laravel applications needing HTML sanitization. Integrates natively with:
    • Facades: Purify::clean() for ad-hoc sanitization.
    • Eloquent: PurifyHtmlOnGet casts for automatic sanitization on model retrieval.
    • Requests: Middleware or form requests to sanitize user input.
    • APIs: Response filters or formatters to sanitize dynamic content.
  • Non-Laravel PHP: While the package is Laravel-specific, the underlying htmlpurifier can be used standalone if needed (though this requires manual setup).
  • Frontend Integration: Works seamlessly with frontend frameworks (e.g., Vue/React) that render server-side HTML (e.g., rich text editors like Trix).

Migration Path

  1. Assessment Phase:
    • Audit existing sanitization logic (e.g., strip_tags, regex, or manual DOM parsing).
    • Identify pain points (e.g., false positives/negatives, performance bottlenecks).
  2. Pilot Integration:
    • Install the package and publish the config (vendor:publish).
    • Start with the default configuration and test against a subset of user-generated content.
    • Gradually replace legacy sanitization with Purify::clean().
  3. Configuration Refinement:
    • Define additional configs (e.g., comments, admin) in config/purify.php.
    • Customize definitions for specific needs (e.g., Trix editor support).
  4. Automation:
    • Apply PurifyHtmlOnGet casts to Eloquent models for passive sanitization.
    • Add middleware or form request validation to sanitize input early.
  5. Deprecation:
    • Phase out legacy sanitization logic post-validation.
    • Document the new approach for the team.

Compatibility

  • Laravel Versions: Tested on Laravel 7+. For Laravel 11+, verify casts() method syntax.
  • PHP Extensions: Requires no additional PHP extensions beyond Laravel’s defaults.
  • Database: No schema changes required; works with any database storing HTML content.
  • Third-Party Packages: Potential conflicts with other sanitization packages (e.g., spatie/laravel-html). Audit dependencies to avoid duplication.
  • Caching: Ensure the cache driver (e.g., Redis, filesystem) is configured and accessible. Dedicate a cache store/disk for Purify to avoid collisions.

Sequencing

  1. Core Integration:
    • Install and configure the package.
    • Test basic sanitization (Purify::clean()).
  2. Model-Level Sanitization:
    • Apply PurifyHtmlOnGet casts to critical models (e.g., Post, Comment).
  3. API/Request Sanitization:
    • Add middleware or form requests to sanitize input (e.g., request()->purify()).
  4. Custom Configs:
    • Define and test additional configs (e.g., comments, rich_text).
  5. Custom Definitions:
    • Implement and validate custom HTML/CSS definitions (e.g., for Trix).
  6. Performance Optimization:
    • Enable caching and benchmark under load.
    • Adjust serializer paths if using shared storage.
  7. Rollback Plan:
    • Maintain legacy sanitization as a fallback during transition.
    • Document rollback steps in case of critical issues.

Operational Impact

Maintenance

  • Configuration Management:
    • Centralize sanitization rules in config/purify.php for easy updates.
    • Use environment-specific configs (e.g., purify.php overrides in .env) for staging/production differences.
  • Custom Definitions:
    • Version-control custom definition classes (e.g., TrixPurifierDefinitions) alongside the app.
    • Document the purpose of each custom rule to aid future maintenance.
  • Dependency Updates:
    • Monitor stevebauman/purify and htmlpurifier for breaking changes.
    • Test updates in a staging environment before deployment.
  • Cache Maintenance:
    • Schedule purify:clear during deployments if definitions change.
    • Monitor cache storage (e.g., filesystem disk space) for large-scale usage.

Support

  • Debugging:
    • Use Purify::clean($input, true) to inspect sanitized output and identify issues.
    • Log sanitization failures (e.g., malformed HTML) for analysis.
  • Common Issues:
    • False Positives: Adjust HTML.Allowed or CSS.AllowedProperties to permit legitimate content.
    • Performance: Optimize caching or reduce definition complexity for high-throughput systems.
    • XSS Bypass: Regularly audit configurations for overlooked vectors (e.g., javascript: in href).
  • Team Onboarding:
    • Document sanitization rules and their rationale (e.g., "Why are data-* attributes allowed?").
    • Provide examples of safe/unsafe HTML snippets for reference.

Scaling

  • Performance Bottlenecks:
    • Caching: Ensure the serializer cache is properly configured (e.g., Redis for distributed systems).
    • Memory: Large-scale sanitization (e.g., bulk API responses) may require chunking or async processing.
    • Definitions: Complex custom definitions increase serialization overhead; simplify where possible.
  • Horizontal Scaling:
    • Stateless design means the
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai