Documentation

HtmlSanitizerConfig
in package

Tags
author

Titouan Galopin galopintitouan@gmail.com

Table of Contents

Properties

$allowedElements  : array<string, array<string, true>>
Elements that should be retained, with their allowed attributes.
$allowedLinkHosts  : array<int, string>|null
Links hosts that should be retained (by default, all hosts are allowed).
$allowedLinkSchemes  : array<int, string>
Links schemes that should be retained, other being dropped.
$allowedMediaHosts  : array<int, string>|null
Image/Audio/Video hosts that should be retained (by default, all hosts are allowed).
$allowedMediaSchemes  : array<int, string>
Image/Audio/Video schemes that should be retained, other being dropped.
$allowRelativeLinks  : bool
Should the sanitizer allow relative links (by default, they are dropped).
$allowRelativeMedias  : bool
Should the sanitizer allow relative media URL (by default, they are dropped).
$attributeSanitizers  : array<int, AttributeSanitizerInterface>
Sanitizers that should be applied to specific attributes in addition to standard sanitization.
$blockedElements  : array<string, true>
Elements that should be removed but their children should be retained.
$defaultAction  : HtmlSanitizerAction
$droppedElements  : array<string, true>
Elements that should be removed.
$forcedAttributes  : array<string, array<string, string>>
Attributes that should always be added to certain elements.
$forceHttpsUrls  : bool
Should the URL in the sanitized document be transformed to HTTPS if they are using HTTP.
$maxInputLength  : int

Methods

__construct()  : mixed
allowAttribute()  : static
Configures the given attribute as allowed.
allowElement()  : static
Configures the given element as allowed.
allowLinkHosts()  : static
Allows only a given list of hosts to be used in links href attributes.
allowLinkSchemes()  : static
Allows only a given list of schemes to be used in links href attributes.
allowMediaHosts()  : static
Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).
allowMediaSchemes()  : static
Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).
allowRelativeLinks()  : static
Allows relative URLs to be used in links href attributes.
allowRelativeMedias()  : static
Allows relative URLs to be used in media source attributes (img, audio, video, ...).
allowSafeElements()  : static
Allows "safe" elements and attributes.
allowStaticElements()  : static
Allows all static elements and attributes from the W3C Sanitizer API standard.
blockElement()  : static
Configures the given element as blocked.
defaultAction()  : static
Sets the default action for elements which are not otherwise specifically allowed or blocked.
dropAttribute()  : static
Configures the given attribute as dropped.
dropElement()  : static
Configures the given element as dropped.
forceAttribute()  : static
Forcefully set the value of a given attribute on a given element.
forceHttpsUrls()  : static
Transforms URLs using the HTTP scheme to use the HTTPS scheme instead.
getAllowedElements()  : array<string, array<string, true>>
getAllowedLinkHosts()  : array<int, string>|null
getAllowedLinkSchemes()  : array<int, string>
getAllowedMediaHosts()  : array<int, string>|null
getAllowedMediaSchemes()  : array<int, string>
getAllowRelativeLinks()  : bool
getAllowRelativeMedias()  : bool
getAttributeSanitizers()  : array<int, AttributeSanitizerInterface>
getBlockedElements()  : array<string, true>
getDefaultAction()  : HtmlSanitizerAction
getDroppedElements()  : array<string, true>
getForcedAttributes()  : array<string, array<string, string>>
getForceHttpsUrls()  : bool
getMaxInputLength()  : int
withAttributeSanitizer()  : static
Registers a custom attribute sanitizer.
withMaxInputLength()  : static
withoutAttributeSanitizer()  : static
Unregisters a custom attribute sanitizer.

Properties

$allowedElements

Elements that should be retained, with their allowed attributes.

private array<string, array<string, true>> $allowedElements = []

$allowedLinkHosts

Links hosts that should be retained (by default, all hosts are allowed).

private array<int, string>|null $allowedLinkHosts = null

$allowedLinkSchemes

Links schemes that should be retained, other being dropped.

private array<int, string> $allowedLinkSchemes = ['http', 'https', 'mailto', 'tel']

$allowedMediaHosts

Image/Audio/Video hosts that should be retained (by default, all hosts are allowed).

private array<int, string>|null $allowedMediaHosts = null

$allowedMediaSchemes

Image/Audio/Video schemes that should be retained, other being dropped.

private array<int, string> $allowedMediaSchemes = ['http', 'https', 'data']

Should the sanitizer allow relative links (by default, they are dropped).

private bool $allowRelativeLinks = false

$allowRelativeMedias

Should the sanitizer allow relative media URL (by default, they are dropped).

private bool $allowRelativeMedias = false

$blockedElements

Elements that should be removed but their children should be retained.

private array<string, true> $blockedElements = []

$droppedElements

Elements that should be removed.

private array<string, true> $droppedElements = []

$forcedAttributes

Attributes that should always be added to certain elements.

private array<string, array<string, string>> $forcedAttributes = []

$forceHttpsUrls

Should the URL in the sanitized document be transformed to HTTPS if they are using HTTP.

private bool $forceHttpsUrls = false

Methods

allowAttribute()

Configures the given attribute as allowed.

public allowAttribute(string $attribute, array<int, string>|string $allowedElements) : static

Allowed attributes are attributes the sanitizer should retain from the input.

A list of allowed elements for this attribute can be passed as a second argument. Passing "*" will allow all currently allowed elements to use this attribute.

Parameters
$attribute : string
$allowedElements : array<int, string>|string
Return values
static

allowElement()

Configures the given element as allowed.

public allowElement(string $element[, array<int, string>|string $allowedAttributes = [] ]) : static

Allowed elements are elements the sanitizer should retain from the input.

A list of allowed attributes for this element can be passed as a second argument. Passing "*" will allow all standard attributes on this element. By default, no attributes are allowed on the element.

Parameters
$element : string
$allowedAttributes : array<int, string>|string = []
Return values
static

allowLinkHosts()

Allows only a given list of hosts to be used in links href attributes.

public allowLinkHosts(array<int, string>|null $allowLinkHosts) : static

All other hosts will be dropped. By default all hosts are allowed ($allowedLinkHosts = null).

Parameters
$allowLinkHosts : array<int, string>|null
Return values
static

allowLinkSchemes()

Allows only a given list of schemes to be used in links href attributes.

public allowLinkSchemes(array<int, string> $allowLinkSchemes) : static

All other schemes will be dropped.

Parameters
$allowLinkSchemes : array<int, string>
Return values
static

allowMediaHosts()

Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).

public allowMediaHosts(array<int, string>|null $allowMediaHosts) : static

All other hosts will be dropped. By default all hosts are allowed ($allowMediaHosts = null).

Parameters
$allowMediaHosts : array<int, string>|null
Return values
static

allowMediaSchemes()

Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).

public allowMediaSchemes(array<int, string> $allowMediaSchemes) : static

All other schemes will be dropped.

Parameters
$allowMediaSchemes : array<int, string>
Return values
static

Allows relative URLs to be used in links href attributes.

public allowRelativeLinks([bool $allowRelativeLinks = true ]) : static
Parameters
$allowRelativeLinks : bool = true
Return values
static

allowRelativeMedias()

Allows relative URLs to be used in media source attributes (img, audio, video, ...).

public allowRelativeMedias([bool $allowRelativeMedias = true ]) : static
Parameters
$allowRelativeMedias : bool = true
Return values
static

allowSafeElements()

Allows "safe" elements and attributes.

public allowSafeElements() : static

All scripts will be removed, as well as other dangerous behaviors like CSS injection.

Return values
static

allowStaticElements()

Allows all static elements and attributes from the W3C Sanitizer API standard.

public allowStaticElements() : static

All scripts will be removed but the output may still contain other dangerous behaviors like CSS injection (click-jacking), CSS expressions, ...

Return values
static

blockElement()

Configures the given element as blocked.

public blockElement(string $element) : static

Blocked elements are elements the sanitizer should remove from the input, but retain their children.

Parameters
$element : string
Return values
static

defaultAction()

Sets the default action for elements which are not otherwise specifically allowed or blocked.

public defaultAction(HtmlSanitizerAction $action) : static

Note that a default action of Allow will allow all tags but they will not have any attributes.

Parameters
$action : HtmlSanitizerAction
Return values
static

dropAttribute()

Configures the given attribute as dropped.

public dropAttribute(string $attribute, array<int, string>|string $droppedElements) : static

Dropped attributes are attributes the sanitizer should remove from the input.

A list of elements on which to drop this attribute can be passed as a second argument. Passing "*" will drop this attribute from all currently allowed elements.

Note: when using an empty configuration, all unknown attributes are dropped automatically. This method let you drop attributes that were allowed earlier in the configuration.

Parameters
$attribute : string
$droppedElements : array<int, string>|string
Return values
static

dropElement()

Configures the given element as dropped.

public dropElement(string $element) : static

Dropped elements are elements the sanitizer should remove from the input, including their children.

Note: when using an empty configuration, all unknown elements are dropped automatically. This method let you drop elements that were allowed earlier in the configuration, or explicitly drop some if you changed the default action.

Parameters
$element : string
Return values
static

forceAttribute()

Forcefully set the value of a given attribute on a given element.

public forceAttribute(string $element, string $attribute, string $value) : static

The attribute will be created on the nodes if it didn't exist.

Parameters
$element : string
$attribute : string
$value : string
Return values
static

forceHttpsUrls()

Transforms URLs using the HTTP scheme to use the HTTPS scheme instead.

public forceHttpsUrls([bool $forceHttpsUrls = true ]) : static
Parameters
$forceHttpsUrls : bool = true
Return values
static

getAllowedElements()

public getAllowedElements() : array<string, array<string, true>>
Return values
array<string, array<string, true>>

getAllowedLinkHosts()

public getAllowedLinkHosts() : array<int, string>|null
Return values
array<int, string>|null

getAllowedLinkSchemes()

public getAllowedLinkSchemes() : array<int, string>
Return values
array<int, string>

getAllowedMediaHosts()

public getAllowedMediaHosts() : array<int, string>|null
Return values
array<int, string>|null

getAllowedMediaSchemes()

public getAllowedMediaSchemes() : array<int, string>
Return values
array<int, string>

getBlockedElements()

public getBlockedElements() : array<string, true>
Return values
array<string, true>

getDroppedElements()

public getDroppedElements() : array<string, true>
Return values
array<string, true>

getForcedAttributes()

public getForcedAttributes() : array<string, array<string, string>>
Return values
array<string, array<string, string>>

withMaxInputLength()

public withMaxInputLength(int $maxInputLength) : static
Parameters
$maxInputLength : int

The maximum length of the input string in bytes -1 means no limit

Return values
static

        
On this page

Search results