HtmlSanitizer
in package
implements
HtmlSanitizerInterface
FinalYes
Tags
Table of Contents
Interfaces
- HtmlSanitizerInterface
- Sanitizes an untrusted HTML input for safe insertion into a document's DOM.
Properties
- $config : HtmlSanitizerConfig
- $domVisitors : array<string, DomVisitor>
- $parser : ParserInterface
Methods
- __construct() : mixed
- sanitize() : string
- Sanitizes an untrusted HTML input for a <body> context.
- sanitizeFor() : string
- Sanitizes an untrusted HTML input for a given context.
- createDomVisitorForContext() : DomVisitor
- isValidUtf8() : bool
Properties
$config
private
HtmlSanitizerConfig
$config
$domVisitors
private
array<string, DomVisitor>
$domVisitors
= []
$parser
private
ParserInterface
$parser
Methods
__construct()
public
__construct(HtmlSanitizerConfig $config[, ParserInterface|null $parser = null ]) : mixed
Parameters
- $config : HtmlSanitizerConfig
- $parser : ParserInterface|null = null
sanitize()
Sanitizes an untrusted HTML input for a <body> context.
public
sanitize(string $input) : string
This method is NOT context sensitive: it assumes the returned HTML string will be injected in a "body" context, and therefore will drop tags only allowed in the "head" element. To sanitize a string for injection in the "head" element, use HtmlSanitizerInterface::sanitizeFor().
Parameters
- $input : string
Return values
stringsanitizeFor()
Sanitizes an untrusted HTML input for a given context.
public
sanitizeFor(string $element, string $input) : string
This method is context sensitive: by providing a parent element name (body, head, title, ...), the sanitizer will adapt its rules to only allow elements that are valid inside the given parent element.
Parameters
- $element : string
- $input : string
Return values
stringcreateDomVisitorForContext()
private
createDomVisitorForContext(string $context) : DomVisitor
Parameters
- $context : string
Return values
DomVisitorisValidUtf8()
private
isValidUtf8(string $html) : bool
Parameters
- $html : string