symfony/html-sanitizer
Composer 安装命令:
composer require symfony/html-sanitizer
包简介
Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.
关键字:
README 文档
README
The HtmlSanitizer component provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.
Usage
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig; use Symfony\Component\HtmlSanitizer\HtmlSanitizer; // By default, an element not added to the allowed or blocked elements // will be dropped, including its children $config = (new HtmlSanitizerConfig()) // Allow "safe" elements and attributes. All scripts will be removed // as well as other dangerous behaviors like CSS injection ->allowSafeElements() // Allow all static elements and attributes from the W3C Sanitizer API // standard. All scripts will be removed but the output may still contain // other dangerous behaviors like CSS injection (click-jacking), CSS // expressions, ... ->allowStaticElements() // Allow the "div" element and no attribute can be on it ->allowElement('div') // Allow the "a" element, and the "title" attribute to be on it ->allowElement('a', ['title']) // Allow the "span" element, and any attribute from the Sanitizer API is allowed // (see https://wicg.github.io/sanitizer-api/#default-configuration) ->allowElement('span', '*') // Block the "section" element: this element will be removed but // its children will be retained ->blockElement('section') // Drop the "div" element: this element will be removed, including its children ->dropElement('div') // Allow the attribute "title" on the "div" element ->allowAttribute('title', ['div']) // Allow the attribute "data-custom-attr" on all currently allowed elements ->allowAttribute('data-custom-attr', '*') // Drop the "data-custom-attr" attribute from the "div" element: // this attribute will be removed ->dropAttribute('data-custom-attr', ['div']) // Drop the "data-custom-attr" attribute from all elements: // this attribute will be removed ->dropAttribute('data-custom-attr', '*') // Forcefully set the value of all "rel" attributes on "a" // elements to "noopener noreferrer" ->forceAttribute('a', 'rel', 'noopener noreferrer') // Transform all HTTP schemes to HTTPS ->forceHttpsUrls() // Configure which schemes are allowed in links (others will be dropped) ->allowLinkSchemes(['https', 'http', 'mailto']) // Configure which hosts are allowed in links (by default all are allowed) ->allowLinkHosts(['symfony.com', 'example.com']) // Allow relative URL in links (by default they are dropped) ->allowRelativeLinks() // Configure which schemes are allowed in img/audio/video/iframe (others will be dropped) ->allowMediaSchemes(['https', 'http']) // Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed) ->allowMediaHosts(['symfony.com', 'example.com']) // Allow relative URL in img/audio/video/iframe (by default they are dropped) ->allowRelativeMedias() // Configure a custom attribute sanitizer to apply custom sanitization logic // ($attributeSanitizer instance of AttributeSanitizerInterface) ->withAttributeSanitizer($attributeSanitizer) // Unregister a previously registered attribute sanitizer // ($attributeSanitizer instance of AttributeSanitizerInterface) ->withoutAttributeSanitizer($attributeSanitizer) ; $sanitizer = new HtmlSanitizer($config); // Sanitize a given string, using the configuration provided and in the // "body" context (tags only allowed in <head> will be removed) $sanitizer->sanitize($userInput); // Sanitize the given string for a usage in a <head> tag $sanitizer->sanitizeFor('head', $userInput); // Sanitize the given string for a usage in another tag $sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities $sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities $sanitizer->sanitizeFor('div', $userInput); // Will sanitize as body $sanitizer->sanitizeFor('section', $userInput); // Will sanitize as body // ...
Sponsor
This package is looking for a backer.
Help Symfony by sponsoring its development!
Resources
symfony/html-sanitizer 适用场景与选型建议
symfony/html-sanitizer 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 41.24M 次下载、GitHub Stars 达 280, 最近一次更新时间为 2021 年 12 月 28 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「html」 「sanitizer」 「Purifier」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 symfony/html-sanitizer 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 symfony/html-sanitizer 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 symfony/html-sanitizer 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Texy converts plain text in easy to read Texy syntax into structurally valid (X)HTML. It supports adding of images, links, nested lists, tables and has full support for CSS. Texy supports hyphenation of long words (which reflects language rules), clickable emails and URL (emails are obfuscated again
HTML Purifier integration module for Zend Framework 3
Runn Me! Validation and Sanitization Library
Data sanitizer forked from Waavi/Sanitaize with support for Laravel 5 to 8. .
😷 Sanitize your objects with attributes.
HTML and form generation
统计信息
- 总下载量: 41.24M
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 282
- 点击次数: 29
- 依赖项目数: 68
- 推荐数: 4
其他信息
- 授权协议: MIT
- 更新时间: 2021-12-28