Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Html Sanitizer
Assessments

Html Sanitizer Laravel Package

symfony/html-sanitizer

Symfony HtmlSanitizer provides an object-oriented API to sanitize untrusted HTML before inserting it into the DOM. Configure allowed/blocked tags and attributes, drop or keep children, force attribute values, enforce HTTPS, and restrict link schemes/hosts to prevent XSS and unsafe behavior.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Enhanced Security for URL-Based Attacks

    • Mitigate XSS via URL Sanitization: The new release patches critical vulnerabilities (CVE-2026-45753, CVE-2026-45064, CVE-2026-45066) targeting URL-based attack vectors in attributes like action, formaction, poster, and cite. Justify upgrading to v8.1.0-BETA3 to block:
      • BiDi override characters (e.g., \u202E) in URLs, which can bypass sanitizers.
      • URL parser differentials (e.g., percent-encoded spaces, malformed schemes) in <area> tags and host-whitelisted links/media.
    • Compliance Alignment: Addresses OWASP Top 10 (A03:2021 – Injection) and PCI-DSS requirements for input validation in dynamic HTML attributes.

  • Roadmap Refinement for High-Risk Features

    • Phase 1 Update: Prioritize integration into forms, file uploads (e.g., <img poster>), and interactive elements (e.g., <form action="...">) where URL-based XSS is most prevalent.
    • Phase 2 Expansion: Use the allowLinkHosts/allowMediaHosts fixes to tighten third-party embeds (e.g., YouTube iframes, custom widgets) by preventing host-bypass exploits.
    • Phase 3 Customization: Leverage the event-driven architecture to extend URL validation for internal APIs (e.g., deep-linking in SPAs via data-* attributes).

  • Performance and Maintainability

    • Reduced Attack Surface: The fixes eliminate edge cases that previously required custom regex or manual URL validation, simplifying codebases.
    • Backward-Compatible Upgrade: No breaking changes in the public API; ideal for low-risk pilot phases in security-critical modules.

  • Developer Experience (DX) for Security Teams

    • Automated Protection: Developers no longer need to manually sanitize URLs in attributes—default behavior is now hardened.
    • Config-Driven Host Whitelisting: The allowLinkHosts/allowMediaHosts improvements enable fine-grained control over external resources (e.g., restricting media to cdn.example.com).

When to Consider This Package

  • Look Elsewhere If:

    • You rely on non-standard URL schemes (e.g., javascript:, data:, or custom protocols like app://). This release does not whitelist these by default; explicit configuration is required.
    • Your app uses legacy PHP (<8.1): The URL parser fixes assume modern PHP features (e.g., filter_var improvements). Test compatibility if using older versions.
    • You need runtime URL validation beyond W3C/OWASP: For dynamic URL generation (e.g., user-provided redirects), pair with a dedicated URL sanitizer (e.g., filter_var with FILTER_VALIDATE_URL).
    • Your CI/CD pipeline lacks security scanning: These CVEs require immediate patching if you’re using v8.1.0-BETA1/BETA2; delay adoption only if you can’t validate fixes in staging.

  • Adopt If:

    • Your app processes user-controlled URLs in HTML attributes (e.g., <a href="...">, <form action="...">, <img src="...">).
    • You’re migrating from ad-hoc URL sanitization (e.g., preg_replace, parse_url) to a maintained solution.
    • You need OWASP/PCI-compliant URL validation without reinventing the wheel.
    • Your team is upgrading Symfony/Laravel dependencies and wants to align with the latest security patches.

How to Pitch It (Stakeholders)

For Executives:

*"We’ve identified three critical XSS vulnerabilities in how our app handles URLs—from file uploads to interactive forms—that could let attackers bypass our current sanitization. The latest Symfony HtmlSanitizer v8.1.0-BETA3 patches these gaps with zero configuration changes to our codebase:

  • Blocks BiDi override characters (used in phishing attacks).
  • Fixes URL parser exploits in links and media embeds.
  • Hardens host whitelisting for third-party resources.

This is a direct mitigation for OWASP’s Injection risks and aligns with PCI-DSS. The upgrade is low-risk (backward-compatible) and high-impact—preventing attacks like clickjacking, open redirects, and malicious media loads. Given the CVEs, we should prioritize this as a security hotfix for Q3, with a focus on forms, uploads, and embeds."*

Ask: "Should we treat this as a critical patch (like a dependency update) or defer until our next security sprint?"

For Engineering Leaders:

*"v8.1.0-BETA3 closes three CVEs targeting URL-based XSS in HTML attributes. Here’s the impact:

  • No Breaking Changes: Safe to upgrade; we only need to rebuild dependencies.
  • Automated Fixes: Covers edge cases we’d otherwise handle with custom regex (e.g., percent-encoded spaces, BiDi chars).
  • Host Whitelisting Improvements: Simplifies securing <img>, <iframe>, and <a> tags with allowLinkHosts.

Proposal:

  1. Pilot in high-risk areas: Forms (action, formaction), media (poster, src), and links (href).
  2. Audit third-party embeds: Update allowMediaHosts to reflect the new URL parser strictness.
  3. Deprecate custom URL sanitizers: Replace any preg_replace/parse_url hacks with the component’s built-in validation.

Trade-off: If you use non-standard URLs (e.g., data: URIs), you’ll need to explicitly configure them. Otherwise, this is a drop-in security win."*

Ask: "Does this align with our secure-by-default initiative? Should we pair it with a URL validation layer for dynamic redirects?"

For Developers:

*"v8.1.0-BETA3 is a security-focused upgrade—here’s what’s changed under the hood:

  • URL Attributes Are Now Hardened: No more BiDi exploits or malformed schemes slipping through in action, href, etc.
  • Host Whitelisting is Stricter: The allowLinkHosts/allowMediaHosts rules now parse URLs more rigorously (e.g., rejects http://example.com/ with a trailing space).
  • Event-Driven Extensibility: If you need to allow custom URL schemes (e.g., app://), use the HtmlSanitizerEvents::PRE_SANITIZE event.

Migration Steps:

  1. Update composer.json to symfony/html-sanitizer:^8.1.0-BETA3.
  2. No config changes needed unless you rely on edge cases (e.g., javascript: links).
  3. Test forms/media uploads: Focus on attributes like action, src, poster, and cite.

Example (New Host Whitelisting):

$config = (new HtmlSanitizerConfig())
    ->allowLinkHosts(['https://cdn.example.com', 'https://trusted-api.com']);
// Now safely rejects: `<a href="https://cdn.example.com/ ">`

Pro Tip: Use ->allowElement('iframe', ['src' => ['allowMediaHosts']]) to tie media hosts to iframes explicitly."*

Ask: "Should we add a pre-commit hook to scan for custom URL sanitization code that needs replacement?"

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai