Documentation

HtmlSanitizer
in package
implements HtmlSanitizerInterface

FinalYes
Tags
author

Titouan Galopin galopintitouan@gmail.com

Table of Contents

Interfaces

HtmlSanitizerInterface
Sanitizes an untrusted HTML input for safe insertion into a document's DOM.

Properties

$config  : HtmlSanitizerConfig
$domVisitors  : array<string, DomVisitor>
$parser  : ParserInterface

Methods

__construct()  : mixed
sanitize()  : string
Sanitizes an untrusted HTML input for a <body> context.
sanitizeFor()  : string
Sanitizes an untrusted HTML input for a given context.
createDomVisitorForContext()  : DomVisitor
isValidUtf8()  : bool

Properties

$domVisitors

private array<string, DomVisitor> $domVisitors = []

Methods

sanitize()

Sanitizes an untrusted HTML input for a <body> context.

public sanitize(string $input) : string

This method is NOT context sensitive: it assumes the returned HTML string will be injected in a "body" context, and therefore will drop tags only allowed in the "head" element. To sanitize a string for injection in the "head" element, use HtmlSanitizerInterface::sanitizeFor().

Parameters
$input : string
Return values
string

sanitizeFor()

Sanitizes an untrusted HTML input for a given context.

public sanitizeFor(string $element, string $input) : string

This method is context sensitive: by providing a parent element name (body, head, title, ...), the sanitizer will adapt its rules to only allow elements that are valid inside the given parent element.

Parameters
$element : string
$input : string
Return values
string

createDomVisitorForContext()

private createDomVisitorForContext(string $context) : DomVisitor
Parameters
$context : string
Return values
DomVisitor

isValidUtf8()

private isValidUtf8(string $html) : bool
Parameters
$html : string
Return values
bool

        
On this page

Search results