interface HtmlSanitizerInterface

Sanitizes an untrusted HTML input for safe insertion into a document's DOM.

This interface is inspired by the W3C Standard Draft about a HTML Sanitizer API ({see https://wicg.github.io/sanitizer-api/}).

Methods

string
sanitize(string$input)

Sanitizes an untrusted HTML input for a context.

string
sanitizeFor(string$element,string$input)

Sanitizes an untrusted HTML input for a given context.

Details

string sanitize(string$input)

Sanitizes an untrusted HTML input for a context.

This method is NOT context sensitive: it assumes the returned HTML string will be injected in a "body" context, and therefore will drop tags only allowed in the "head" element. To sanitize a string for injection in the "head" element, use {see HtmlSanitizerInterface::sanitizeFor()}.

Parameters

string $input

Return Value

string

string sanitizeFor(string$element,string$input)

Sanitizes an untrusted HTML input for a given context.

This method is context sensitive: by providing a parent element name (body, head, title, ...), the sanitizer will adapt its rules to only allow elements that are valid inside the given parent element.

Parameters

string $element
string $input

Return Value

string