Documentation

HtmlSanitizerInterface

Sanitizes an untrusted HTML input for safe insertion into a document's DOM.

This interface is inspired by the W3C Standard Draft about a HTML Sanitizer API (https://wicg.github.io/sanitizer-api/).

Tags
author

Titouan Galopin galopintitouan@gmail.com

Table of Contents

Methods

sanitize()  : string
Sanitizes an untrusted HTML input for a <body> context.
sanitizeFor()  : string
Sanitizes an untrusted HTML input for a given context.

Methods

sanitize()

Sanitizes an untrusted HTML input for a <body> context.

public sanitize(string $input) : string

This method is NOT context sensitive: it assumes the returned HTML string will be injected in a "body" context, and therefore will drop tags only allowed in the "head" element. To sanitize a string for injection in the "head" element, use HtmlSanitizerInterface::sanitizeFor().

Parameters
$input : string
Return values
string

sanitizeFor()

Sanitizes an untrusted HTML input for a given context.

public sanitizeFor(string $element, string $input) : string

This method is context sensitive: by providing a parent element name (body, head, title, ...), the sanitizer will adapt its rules to only allow elements that are valid inside the given parent element.

Parameters
$element : string
$input : string
Return values
string

        
On this page

Search results