How do I integrate `typo3/html-sanitizer` into a Laravel project for sanitizing user-submitted HTML?

Install via Composer (`composer require typo3/html-sanitizer`), then use the `Sanitizer` class in your service or middleware. For example, create a custom rule in Laravel’s validation or use it in a Blade directive to clean HTML before rendering. The package’s `CommonBuilder` provides preconfigured safe defaults for common tags like ` `, ` `, and ` `.

Does this package work with Laravel’s Blade templating engine for escaping HTML?

Yes, but it’s designed for pre-rendering sanitization—not a replacement for Blade’s auto-escaping. Use it to clean untrusted HTML before passing it to Blade, ensuring safe output while preserving formatting. Combine it with Laravel’s built-in escaping for dynamic content in views.

What Laravel versions and PHP versions does `typo3/html-sanitizer` support?

The package supports Laravel 9.x and 10.x with PHP 8.0+. It’s framework-agnostic but tested in Laravel environments. Check the [TYPO3 HTML Sanitizer docs](https://github.com/TYPO3/html-sanitizer) for PHP dependency updates, as it relies on `typo3/phar-stream-wrapper` for some features.

Can I customize which HTML tags and attributes are allowed for my Laravel app?

Absolutely. Use the `BuilderInterface` to create custom presets. For example, extend `CommonBuilder` to allow additional tags like ` ` or restrict attributes (e.g., only `src` for ` `). The `Behavior` class lets you immutably define rules for tags, attributes, and values.

How does this package handle edge cases like malformed HTML or deprecated attributes (e.g., `srcset`)?

The package encodes invalid tags/comments by default (via `Behavior::ENCODE_INVALID_TAG`) and ignores deprecated attributes unless explicitly whitelisted. The revert in v2.3.1 restored `srcsetAttr` support, so ensure your Laravel project uses the latest version if you rely on responsive image attributes.

Is there a performance impact when sanitizing large HTML strings in Laravel?

No significant impact. The package is optimized for speed and memory efficiency, using a visitor pattern to process HTML incrementally. For high-throughput APIs, test with your expected payload sizes—most Laravel applications handle sanitization without noticeable latency.

Can I use this in Laravel’s Form Request validation to sanitize input?

Yes. Extend Laravel’s `FormRequest` class and add a custom validation rule using the sanitizer. For example, create a rule like `SanitizeHtml::make()->allowTags(['p', 'a'])` and apply it to text fields. This ensures clean HTML before processing or storage.

Are there alternatives to `typo3/html-sanitizer` for Laravel, like HTML Purifier or Dompurifier?

Yes, but this package offers a lighter, PHP-native solution without DOM extension dependencies. `HTML Purifier` is heavier and more complex, while `typo3/html-sanitizer` provides fine-grained control with minimal overhead. For Laravel, it’s a better fit if you need customizable whitelists without external libraries.

How do I test that the sanitizer is working correctly in my Laravel app?

Write PHPUnit tests using the package’s `Sanitizer` class. Test edge cases like script tags, malformed HTML, and allowed tags. For example, assert that ` alert('xss') ` becomes `<script>alert('xss')</script>` or is stripped entirely. Use Laravel’s `assertSee`/`assertDontSee` in feature tests for Blade-rendered content.

Will this package break if I upgrade Laravel or PHP versions?

Unlikely, as it’s framework-agnostic and supports PHP 8.0+. Monitor the package’s changelog for breaking changes (e.g., deprecated methods like `srcsetAttr`). If upgrading Laravel, test the sanitizer with your app’s HTML inputs to ensure compliance with new security standards.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Html Sanitizer Laravel Package

typo3/html-sanitizer

Standalone PHP HTML sanitizer from TYPO3. Define sanitizing rules via Behavior, apply multiple Visitors, and run through a Sanitizer built from reusable presets. Supports safe tag/attribute allowlists, value validation (e.g., regex), and encoding or removing invalid nodes.

View on GitHub

Deep Wiki

Context7

HTML sanitizer, written in PHP, aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.

Frequently asked questions about Html Sanitizer

How do I integrate `typo3/html-sanitizer` into a Laravel project for sanitizing user-submitted HTML?: Install via Composer (`composer require typo3/html-sanitizer`), then use the `Sanitizer` class in your service or middleware. For example, create a custom rule in Laravel’s validation or use it in a Blade directive to clean HTML before rendering. The package’s `CommonBuilder` provides preconfigured safe defaults for common tags like `<a>`, `<p>`, and `<img>`.
Does this package work with Laravel’s Blade templating engine for escaping HTML?: Yes, but it’s designed for pre-rendering sanitization—not a replacement for Blade’s auto-escaping. Use it to clean untrusted HTML before passing it to Blade, ensuring safe output while preserving formatting. Combine it with Laravel’s built-in escaping for dynamic content in views.
What Laravel versions and PHP versions does `typo3/html-sanitizer` support?: The package supports Laravel 9.x and 10.x with PHP 8.0+. It’s framework-agnostic but tested in Laravel environments. Check the [TYPO3 HTML Sanitizer docs](https://github.com/TYPO3/html-sanitizer) for PHP dependency updates, as it relies on `typo3/phar-stream-wrapper` for some features.
Can I customize which HTML tags and attributes are allowed for my Laravel app?: Absolutely. Use the `BuilderInterface` to create custom presets. For example, extend `CommonBuilder` to allow additional tags like `<video>` or restrict attributes (e.g., only `src` for `<img>`). The `Behavior` class lets you immutably define rules for tags, attributes, and values.
How does this package handle edge cases like malformed HTML or deprecated attributes (e.g., `srcset`)?: The package encodes invalid tags/comments by default (via `Behavior::ENCODE_INVALID_TAG`) and ignores deprecated attributes unless explicitly whitelisted. The revert in v2.3.1 restored `srcsetAttr` support, so ensure your Laravel project uses the latest version if you rely on responsive image attributes.
Is there a performance impact when sanitizing large HTML strings in Laravel?: No significant impact. The package is optimized for speed and memory efficiency, using a visitor pattern to process HTML incrementally. For high-throughput APIs, test with your expected payload sizes—most Laravel applications handle sanitization without noticeable latency.
Can I use this in Laravel’s Form Request validation to sanitize input?: Yes. Extend Laravel’s `FormRequest` class and add a custom validation rule using the sanitizer. For example, create a rule like `SanitizeHtml::make()->allowTags(['p', 'a'])` and apply it to text fields. This ensures clean HTML before processing or storage.
Are there alternatives to `typo3/html-sanitizer` for Laravel, like HTML Purifier or Dompurifier?: Yes, but this package offers a lighter, PHP-native solution without DOM extension dependencies. `HTML Purifier` is heavier and more complex, while `typo3/html-sanitizer` provides fine-grained control with minimal overhead. For Laravel, it’s a better fit if you need customizable whitelists without external libraries.
How do I test that the sanitizer is working correctly in my Laravel app?: Write PHPUnit tests using the package’s `Sanitizer` class. Test edge cases like script tags, malformed HTML, and allowed tags. For example, assert that `<script>alert('xss')</script>` becomes `<script>alert('xss')</script>` or is stripped entirely. Use Laravel’s `assertSee`/`assertDontSee` in feature tests for Blade-rendered content.
Will this package break if I upgrade Laravel or PHP versions?: Unlikely, as it’s framework-agnostic and supports PHP 8.0+. Monitor the package’s changelog for breaking changes (e.g., deprecated methods like `srcsetAttr`). If upgrading Laravel, test the sanitizer with your app’s HTML inputs to ensure compliance with new security standards.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

30.4

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 28

+0.1
Forks

input: 15

+0.4
Open issues + PRs

input: 7

+0.7
Releases

input: 32

+9.6
Recency

input: 36

+18.0
Issue opportunity

input: 6

+1.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 29.9

Opportunity

66.1

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

100.0
Contribution need

open_issues + open_prs: 7

6.4
Health factor

archived + recency + open issues

×0.98

Total 65.9

License

MIT

Last release

Apr 30, 2026

Watchers

Downloads

305K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai