Skip to content
This repository has been archived by the owner on May 23, 2024. It is now read-only.

Commit

Permalink
Merge pull request #14 from tgalopin/htmlpurifier-comparison
Browse files Browse the repository at this point in the history
Add HTMLPurifier comparison
  • Loading branch information
tgalopin authored Nov 26, 2018
2 parents 479a577 + 089a296 commit 45ec054
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ This library is also available as [a Symfony bundle](https://github.com/tgalopin
1. [Getting started](https://github.com/tgalopin/html-sanitizer/blob/master/docs/1-getting-started.md)
2. [Creating an extension to allow custom tags](https://github.com/tgalopin/html-sanitizer/blob/master/docs/2-creating-an-extension-to-allow-custom-tags.md)
3. [Configuration reference](https://github.com/tgalopin/html-sanitizer/blob/master/docs/3-configuration-reference.md)
4. [Comparison with HTMLPurifier](https://github.com/tgalopin/html-sanitizer/blob/master/docs/4-comparison-with-htmlpurifier.md)

## Security Issues

Expand Down
19 changes: 19 additions & 0 deletions docs/4-comparison-with-htmlpurifier.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Comparison with HTMLPurifier

HTML sanitation is a vast domain and many library exist in PHP to tackle this problem. The most famous one is
probably HTMLPurifier. However, html-sanitizer and HTMLPurifier do not have the same goal, even if they share a
common use-case (XSS filtering).

HTMLPurifier aims at creating safe and valid HTML as close as possible to a given input. It wants to be generic
and it is therefore quite cumbersome to configure for specific needs and constraints. It is well suited to clean
full documents in which you need to keep the full structure and CSS while removing only the unsafe elements.

html-sanitizer is much stricter and does not try to fix the HTML provided. Instead, it builds
new HTML from scratch by extracting only the safe data from the input. It aims to be used in combination with a
WYSIWYG / client-side editor that output valid HTML: if the provided HTML was badly written, it means
someone is trying to do something evil and the sanitizer can simply remove the invalid parts entirely.

An important part of html-sanitizer is predictability: by being able to configure a specific list of
allowed tags and attributes, you can be certain you will only get these tags in the ouput of the sanitizer.
This allows you to prevent not only XSS attacks but also all kinds of attacks related to CSS, as you are
able to design properly each tag you allowed.

0 comments on commit 45ec054

Please sign in to comment.