HTML_Sanitizer
in package
Sanitize HTML body content
Remove dangerous tags and attributes that can lead to security issues like XSS or HTTP response splitting
Table of Contents
- $_additionalTags : mixed
- $_allowDOMEvents : bool
- $_allowedTags : mixed
- $_allowJavascriptInUrls : mixed
- $_allowObjects : mixed
- $_allowScript : mixed
- $_allowStyle : mixed
- __construct() : mixed
- Constructor
- _removeDOMEventsCallback() : string
- Callback for PCRE
- _removeStyleCallback() : string
- Callback for PCRE
- _sanitizeSrcCallback() : string
- Callback for PCRE
- _sanitizeURLCallback() : string
- Callback for PCRE
- allowAllJavascript() : mixed
- Helper to allow all javascript related tags and attributes
- allowDOMEvents() : mixed
- Allow DOM event on DOM elements
- allowJavascriptInUrls() : mixed
- Allow the use of javascript: in urls
- allowObjects() : mixed
- Allow object, embed, applet and param tags in html
- allowScript() : mixed
- Allow script tags
- allowStyle() : mixed
- Allow style tags and attributes
- filterHTTPResponseSplitting() : string
- Filter URLs to avoid HTTP response splitting attacks
- removeDOMEvents() : string
- Remove DOM events attributes from html tags
- removeJavascriptURL() : string
- Remove potential javascript in urls
- removeStyle() : string
- Remove style attributes from html tags
- resetAll() : mixed
- (re)set all options to default value
- sanitize() : string
- Sanitize HTML remove dangerous tags and attributes clean urls
- sanitizeURL() : string
- Remove potential flaws in urls
- removeEvilAttributes() : string
- Remove dangerous attributes from html tags
- removeEvilTags() : string
- Remove dangerous HTML tags
- sanitizeHref() : string
- Remove potential flaws in href attributes
- sanitizeSrc() : string
- Remove potential flaws in href attributes
Properties
$_additionalTags
public
mixed
$_additionalTags
$_allowDOMEvents
public
bool
$_allowDOMEvents
$_allowedTags
public
mixed
$_allowedTags
$_allowJavascriptInUrls
public
mixed
$_allowJavascriptInUrls
$_allowObjects
public
mixed
$_allowObjects
$_allowScript
public
mixed
$_allowScript
$_allowStyle
public
mixed
$_allowStyle
Methods
__construct()
Constructor
public
__construct() : mixed
Return values
mixed —_removeDOMEventsCallback()
Callback for PCRE
public
_removeDOMEventsCallback(array<string|int, mixed> $matches) : string
Parameters
- $matches : array<string|int, mixed>
Tags
Return values
string —_removeStyleCallback()
Callback for PCRE
public
_removeStyleCallback(array<string|int, mixed> $matches) : string
Parameters
- $matches : array<string|int, mixed>
Tags
Return values
string —_sanitizeSrcCallback()
Callback for PCRE
public
_sanitizeSrcCallback(array<string|int, mixed> $matches) : string
Parameters
- $matches : array<string|int, mixed>
Tags
Return values
string —_sanitizeURLCallback()
Callback for PCRE
public
_sanitizeURLCallback(array<string|int, mixed> $matches) : string
Parameters
- $matches : array<string|int, mixed>
Tags
Return values
string —allowAllJavascript()
Helper to allow all javascript related tags and attributes
public
allowAllJavascript() : mixed
Tags
Return values
mixed —allowDOMEvents()
Allow DOM event on DOM elements
public
allowDOMEvents() : mixed
Tags
Return values
mixed —allowJavascriptInUrls()
Allow the use of javascript: in urls
public
allowJavascriptInUrls() : mixed
Tags
Return values
mixed —allowObjects()
Allow object, embed, applet and param tags in html
public
allowObjects() : mixed
Tags
Return values
mixed —allowScript()
Allow script tags
public
allowScript() : mixed
Tags
Return values
mixed —allowStyle()
Allow style tags and attributes
public
allowStyle() : mixed
Tags
Return values
mixed —filterHTTPResponseSplitting()
Filter URLs to avoid HTTP response splitting attacks
public
filterHTTPResponseSplitting(string $url) : string
Parameters
- $url : string
-
url
Tags
Return values
string —filtered url
removeDOMEvents()
Remove DOM events attributes from html tags
public
removeDOMEvents(string $str) : string
Parameters
- $str : string
-
html tag
Tags
Return values
string —filtered html tag
removeJavascriptURL()
Remove potential javascript in urls
public
removeJavascriptURL(string $str) : string
Parameters
- $str : string
-
url
Tags
Return values
string —filtered url
removeStyle()
Remove style attributes from html tags
public
removeStyle(string $str) : string
Parameters
- $str : string
-
html tag
Tags
Return values
string —filtered html tag
resetAll()
(re)set all options to default value
public
resetAll() : mixed
Return values
mixed —sanitize()
Sanitize HTML remove dangerous tags and attributes clean urls
public
sanitize(string $html) : string
Parameters
- $html : string
-
html code
Tags
Return values
string —sanitized html code
sanitizeURL()
Remove potential flaws in urls
public
sanitizeURL(string $url) : string
Parameters
- $url : string
-
url
Tags
Return values
string —filtered url
removeEvilAttributes()
Remove dangerous attributes from html tags
protected
removeEvilAttributes(string $str) : string
Parameters
- $str : string
-
html tag
Tags
Return values
string —filtered html tag
removeEvilTags()
Remove dangerous HTML tags
protected
removeEvilTags(string $str) : string
Parameters
- $str : string
-
html code
Tags
Return values
string —filtered url
sanitizeHref()
Remove potential flaws in href attributes
protected
sanitizeHref(string $str) : string
Parameters
- $str : string
-
html tag
Tags
Return values
string —filtered html tag
sanitizeSrc()
Remove potential flaws in href attributes
protected
sanitizeSrc(string $str) : string
Parameters
- $str : string
-
html tag
Tags
Return values
string —filtered html tag