Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Html Sanitizer
Release Notes

Html Sanitizer Laravel Package

symfony/html-sanitizer

Symfony HtmlSanitizer provides an object-oriented API to sanitize untrusted HTML before inserting it into the DOM. Configure allowed/blocked tags and attributes, drop or keep children, force attribute values, enforce HTTPS, and restrict link schemes/hosts to prevent XSS and unsafe behavior.

View on GitHub
Deep Wiki
Context7
v8.1.0

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.1.0-RC1...v8.1.0)

  • no significant changes
v8.1.0-RC1

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.1.0-BETA3...v8.1.0-RC1)

  • security #cve-2026-48761 Sanitize URL attributes on , , , , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
v8.0.13

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.12...v8.0.13)

  • security #cve-2026-48761 Sanitize URL attributes on , , , , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
v7.4.13

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.12...v7.4.13)

  • security #cve-2026-48761 Sanitize URL attributes on , , , , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
v6.4.41

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.40...v6.4.41)

  • security #cve-2026-48761 Sanitize URL attributes on , , , , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
v8.1.0-BETA3

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.1.0-BETA1...v8.1.0-BETA3)

  • security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
  • security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
  • security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)
v8.0.12

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.7...v8.0.12)

  • security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
  • security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
  • security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)
v7.4.12

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.7...v7.4.12)

  • security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
  • security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
  • security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)
v6.4.40

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.35...v6.4.40)

  • security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
  • security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
  • security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)
v8.1.0-BETA1
v8.0.8

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.7...v8.0.8)

  • no significant changes
v7.4.8

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.7...v7.4.8)

  • no significant changes
v8.0.7

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.6...v8.0.7)

  • bug #63598 Add 'sms' to hostless schemes (@hivokas)
v7.4.7

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.6...v7.4.7)

  • bug #63598 Add 'sms' to hostless schemes (@hivokas)
v6.4.35

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.34...v6.4.35)

  • bug #63598 Add 'sms' to hostless schemes (@hivokas)
v7.4.0

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.0-RC3...v7.4.0)

  • no significant changes
v8.0.0

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.0-RC3...v8.0.0)

  • no significant changes
v8.0.0-RC1

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.0-BETA2...v8.0.0-RC1)

  • no significant changes
v7.4.0-RC1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.0-BETA2...v7.4.0-RC1)

  • no significant changes
v7.3.6

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.5...v7.3.6)

  • bug symfony/symfony#62201 [HtmlSanitizer] Remove srcdoc from allowed attributes (@Spomky)
v6.4.28

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.27...v6.4.28)

  • bug symfony/symfony#62201 [HtmlSanitizer] Remove srcdoc from allowed attributes (@Spomky)
v8.0.0-BETA2

Changelog (https://github.com/symfony/html-sanitizer/compare/v8.0.0-BETA1...v8.0.0-BETA2)

  • bug symfony/symfony#62201 [HtmlSanitizer] Remove srcdoc from allowed attributes (@Spomky)
v7.4.0-BETA2

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.4.0-BETA1...v7.4.0-BETA2)

  • bug symfony/symfony#62201 [HtmlSanitizer] Remove srcdoc from allowed attributes (@Spomky)
v8.0.0-BETA1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.4...v8.0.0-BETA1)

  • feature symfony/symfony#61391 [HtmlSanitizer] Remove MastermindsParser and add $context arg to ParserInterface::parse() (@nicolas-grekas)
  • feature symfony/symfony#61366 [HtmlSanitizer] Use the native HTML5 parser when using PHP 8.4+ (@nicolas-grekas)
  • feature symfony/symfony#60639 Bump Symfony 8 to PHP >= 8.4 (@nicolas-grekas)
v7.4.0-BETA1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.4...v7.4.0-BETA1)

  • feature symfony/symfony#61366 [HtmlSanitizer] Use the native HTML5 parser when using PHP 8.4+ (@nicolas-grekas)
v7.3.3

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.2...v7.3.3)

  • bug symfony/symfony#58547 [HtmlSanitizer] Fix force_attributes not replacing existing attribute in initial data (@tgalopin)
v6.4.25

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.24...v6.4.25)

  • bug symfony/symfony#58547 [HtmlSanitizer] Fix force_attributes not replacing existing attribute in initial data (@tgalopin)
v7.3.2

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.1...v7.3.2)

  • no significant changes
v7.2.9

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.8...v7.2.9)

  • no significant changes
v6.4.24

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.23...v6.4.24)

  • no significant changes
v7.3.0

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.0-RC1...v7.3.0)

  • no significant changes
v7.3.0-RC1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.3.0-BETA2...v7.3.0-RC1)

  • no significant changes
v7.3.0-BETA1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.6...v7.3.0-BETA1)

  • no significant changes
v7.2.6

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.5...v7.2.6)

  • no significant changes
v6.4.21

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.20...v6.4.21)

  • no significant changes
v7.2.3

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.2...v7.2.3)

  • bug symfony/symfony#59525 [HtmlSanitizer] Fix access to undefined keys in UrlSanitizer (Antoine Beyet)
v7.1.11

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.1.10...v7.1.11)

  • bug symfony/symfony#59525 [HtmlSanitizer] Fix access to undefined keys in UrlSanitizer (Antoine Beyet)
v6.4.18

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.17...v6.4.18)

  • bug symfony/symfony#59525 [HtmlSanitizer] Fix access to undefined keys in UrlSanitizer (Antoine Beyet)
v7.2.2

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.1...v7.2.2)

  • bug symfony/symfony#59321 [HtmlSanitizer] reject URLs containing whitespaces (@xabbuh)
v7.1.10

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.1.9...v7.1.10)

  • bug symfony/symfony#59321 [HtmlSanitizer] reject URLs containing whitespaces (@xabbuh)
v6.4.17

Changelog (https://github.com/symfony/html-sanitizer/compare/v6.4.16...v6.4.17)

  • bug symfony/symfony#59321 [HtmlSanitizer] reject URLs containing whitespaces (@xabbuh)
v7.2.0

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.0-RC1...v7.2.0)

  • no significant changes
v7.2.0-RC1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.2.0-BETA2...v7.2.0-RC1)

  • no significant changes
v7.2.0-BETA1

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.1.6...v7.2.0-BETA1)

  • feature symfony/symfony#57399 [HtmlSanitizer] Add support for configuring the default action (@Seldaek)
v7.1.6

Changelog (https://github.com/symfony/html-sanitizer/compare/v7.1.5...v7.1.6)

  • no significant changes
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope
anil/file-picker
broqit/fields-ai