README

Pipeline-based HTML and XML sanitizer for PHP. Removes script tags, event handlers, PHP tags, CDATA injections, and other XSS vectors through a configurable chain of cleanup steps.

Installation

composer require ipedis/file-sanitizer

Quick Start

use Ipedis\FileSanitizer\Sanitizer\Sanitize;

$sanitizer = new Sanitize(type: 'html');
$result = $sanitizer->process('<div onclick="alert(1)"><script>evil()</script>Hello</div>');

echo $result->getContent(); // <div>Hello</div>

XML sanitization

$sanitizer = new Sanitize(type: 'xml');
$result = $sanitizer->process($xmlContent);

Custom configuration

use Ipedis\FileSanitizer\Configuration\Configuration;
use Ipedis\FileSanitizer\Pipeline\Steps\PhpTagCleanupStep;

// Skip specific steps
$config = new Configuration(
    ignoredSteps: [PhpTagCleanupStep::class],
);

$sanitizer = new Sanitize(type: 'html', configuration: $config);

Custom cleanup steps

use Ipedis\FileSanitizer\Pipeline\Steps\CleanupStepAbstract;
use Ipedis\FileSanitizer\Pipeline\Payload;

class MyCustomStep extends CleanupStepAbstract
{
    protected function process(Payload $payload): Payload
    {
        $content = preg_replace('/pattern/', '', $payload->getContent());
        return $payload->setContent($content);
    }
}

$config = new Configuration(customSteps: [MyCustomStep::class]);
$sanitizer = new Sanitize(type: 'html', configuration: $config);

Cleanup Steps

HTML pipeline

XML pipeline

Compatibility

Local Development

Requires Docker.

make up        # Start container
make install   # Install dependencies
make qa        # Run full QA suite (rector + pint + phpstan + tests)

Available targets:

Disclaimer

This package is maintained by Ipedis. It is provided as-is under the terms of its license.