Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Html Sanitizer
Assessments

Html Sanitizer Laravel Package

typo3/html-sanitizer

Standalone PHP HTML sanitizer from TYPO3. Define sanitizing rules via Behavior, apply multiple Visitors, and run through a Sanitizer built from reusable presets. Supports safe tag/attribute allowlists, value validation (e.g., regex), and encoding or removing invalid nodes.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • XSS Protection for User-Generated Content: Enables sanitization of HTML input from users, comments, or third-party integrations (e.g., forums, CMS content, or API responses) to prevent cross-site scripting attacks.
  • Customizable HTML Whitelisting: Allows defining granular rules for allowed tags, attributes, and values (e.g., for rich-text editors, markdown-to-HTML converters, or structured data outputs).
  • Compliance with Security Standards: Supports GDPR, PCI-DSS, or other security policies requiring strict input validation (e.g., sanitizing HTML in payment forms or user profiles).
  • Build vs. Buy: Replaces ad-hoc regex-based sanitization or third-party libraries (e.g., HTMLPurifier) with a lightweight, maintainable PHP solution tailored to project needs.
  • Roadmap for Scalable Security: Foundational layer for future features like:
    • Dynamic policy updates (e.g., A/B testing allowed tags).
    • Integration with WYSIWYG editors (e.g., TinyMCE, CKEditor) to enforce sanitization rules.
    • Audit logging for sanitization failures (e.g., tracking blocked XSS attempts).

When to Consider This Package

  • Adopt When:

    • Your PHP application handles untrusted HTML input (e.g., user submissions, APIs, or legacy data migration).
    • You need fine-grained control over allowed tags/attributes (e.g., restricting <script>, onclick, or custom elements).
    • You’re replacing regex-based sanitization or a bloated library (e.g., HTMLPurifier) with a modern, actively maintained alternative.
    • Your stack uses Laravel/PHP and requires integration with existing DOM manipulation tools (e.g., Symfony’s DOMCrawler).

  • Look Elsewhere If:

    • You need JavaScript-based sanitization (e.g., for frontend frameworks like React/Vue).
    • Your use case is simple (e.g., stripping all HTML) and doesn’t require attribute/value validation.
    • You’re constrained by performance (this library processes HTML via DOM, which is slower than regex for trivial cases).
    • You require built-in CSP (Content Security Policy) integration (consider pairing with a CSP header library).
    • Your team lacks PHP/DOM expertise (steep learning curve for custom Behavior/Visitor configurations).

How to Pitch It (Stakeholders)

For Executives:

"This package is a security shield for our user-generated content. By automatically scrubbing malicious HTML (e.g., XSS attacks) while preserving safe formatting, we reduce risk without sacrificing functionality. It’s MIT-licensed, actively maintained, and integrates seamlessly with our Laravel stack—no vendor lock-in. The cost? Minimal dev effort; the payoff? Proactive protection against data breaches and compliance violations."

Key Metrics to Track:

  • Reduction in XSS vulnerabilities (via automated sanitization).
  • Decrease in manual code reviews for HTML input validation.
  • Alignment with security audits (e.g., PCI-DSS, GDPR).

For Engineering Teams:

*"This is a drop-in replacement for our current ad-hoc sanitization (or HTMLPurifier), offering:

  • Declarative rules: Define allowed tags/attributes once (e.g., <a href>, <img alt>) and reuse across the app.
  • Extensible architecture: Custom Visitor classes let us handle edge cases (e.g., transforming <typo3> tags to plaintext).
  • Performance: Optimized for PHP 8.2+ with zero dependencies beyond PHP’s DOM extension.
  • Future-proof: Supports PHP 8.5 and modern security practices (e.g., blocking processing instructions).

Implementation Plan:

  1. Phase 1: Replace regex sanitization in user comments/forums with CommonBuilder preset.
  2. Phase 2: Extend Behavior to enforce project-specific rules (e.g., disallow style attributes).
  3. Phase 3: Integrate with our WYSIWYG editor to auto-sanitize rich-text inputs.

Trade-offs:

  • Learning Curve: Requires understanding Behavior/Visitor patterns (but docs/examples are solid).
  • DOM Overhead: Slower than regex for trivial cases, but 100x safer for complex HTML.

Alternatives Considered:

  • HTMLPurifier: Overkill for our needs (heavyweight, complex config).
  • DOMPurify (JS): Not applicable to our PHP backend.
  • Custom Regex: Prone to XSS gaps (e.g., missing edge cases like <svg onload=...>).

Recommendation: Adopt for critical paths first (e.g., user profiles, admin panels), then expand."*

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
hamzi/corewatch
minionfactory/raw-hydrator
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium
sandermuller/package-boost-laravel
sandermuller/boost-skills
redaxo/core
yusufgenc/filament-api-forge
l3aro/rating-star-for-filament
leek/filament-subtenant-scope