• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

src/H03-May-2022-1,2121,074

CHANGELOG.mdH A D16-Oct-20192.8 KiB6839

LICENSE.mdH A D16-Oct-20197.4 KiB163129

README.mdH A D16-Oct-20193.4 KiB7956

composer.jsonH A D16-Oct-2019609 2827

README.md

1htmLawed
2========
3
4[![Build Status](https://img.shields.io/travis/vanilla/htmlawed.svg?style=flat)](https://travis-ci.org/vanilla/htmlawed)
5[![Coverage](https://img.shields.io/scrutinizer/coverage/g/vanilla/htmlawed.svg?style=flat)](https://scrutinizer-ci.com/g/vanilla/htmlawed/)
6[![Packagist Version](https://img.shields.io/packagist/v/vanilla/htmlawed.svg?style=flat)](https://packagist.org/packages/vanilla/htmlawed)
7![LGPL-3.0](https://img.shields.io/packagist/l/vanilla/htmlawed.svg?style=flat)
8
9A composer wrapper for the [htmLawed](http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/) library to purify & filter HTML.
10Tested with [PHPUnit](http://phpunit.de/) and [PhantomJS](http://phantomjs.org/).
11
12Why use htmLawed?
13-----------------
14
15If your website has any user-generated content then you need to worry about [cross-site scripting (XSS)](http://en.wikipedia.org/wiki/Cross-site_scripting).
16htmLawed will take a piece of potentially malicious html and remove the malicious code, leaving the rest of html behind.
17
18Beyond the base htmLawed library, this package makes htmLawed a composer package and wraps it in an object so that it can be autoloaded.
19
20Installation
21------------
22
23*htmLawed requres PHP 5.4 or higher*
24
25htmLawed is [PSR-4](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-4-autoloader.md) compliant and can be installed using [composer](//getcomposer.org). Just add `vanilla/htmlawed` to your composer.json.
26
27```json
28"require": {
29    "vanilla/htmlawed": "~1.0"
30}
31```
32
33Example
34-------
35
36```php
37echo Htmlawed::filter('<h1>Hello world!');
38// Outputs: '<h1>Hello world!</h1>'.
39
40echo Htmlawed::filter('<i>nothing to see</i><script>alert("xss")</script>')
41// Outputs: '<i>nothing to see</i>alert("xss")'
42```
43
44Configs and Specs
45-----------------
46
47The htmLawed filter takes two optional parameters: `$config` and `$spec`. This library provides sensible defaults to these parameters, but you can override them in `Htmlawed::filter()`.
48
49```php
50$xss = "<i>nothing to see <script>alert('xss')</script>";
51
52// Pass an empty config and spec for no filtering of malicious code.
53echo Htmlawed::filter($xss, [], []);
54// Outputs: '<i>nothing to see <script type="text/javascript">alert("xss")</script></i>'
55
56// Pass safe=1 to turn on all the safe options.
57echo Htmlawed::filter($xss, ['safe' => 1]);
58// Outputs: '<i>nothing to see alert("xss")</i>'
59
60// We provide a convenience method that strips all tags that aren't supposed to be in rss feeds.
61echo Htmlawed::filterRSS('<html><body><h1>Hello world!</h1></body></html>');
62// Outputs: '<h1>Hello world!</h1>'
63```
64
65See the [htmLawed documentation](http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s2.2) for the full list of options.
66
67Differences in Vanilla's version of Htmlawed
68--------------------------------------------
69
70We try and use the most recent version of htmLawed with as few changes as possible so that bug fixes and security
71releases can be merged from the main project. However, We've made a few changes in the source code.
72
73* Balance tags (hl_bal) before validating tags (hl_tag). We found some cases where an unbalanced script tag would not
74  get removed and this addresses that issue.
75* Don't add an extra `<div>` inside of `<blockquote>` tags.
76* Remove naked `<span>`.
77* Change indentation from 1 space to 4 spaces.
78
79*If the original author of htmLawed wants to make any of these changes upstream please get in contact with support@vanillaforums.com.*