MarkupHTMLPurifier

Front-end to the HTML Purifier library, providing standards-compliant HTML sanitization and validation for ProcessWire

It removes malicious code (XSS) via a secure whitelist and ensures documents are standards-compliant.

$purifier = $modules->get('MarkupHTMLPurifier');
$cleanHTML = $purifier->purify($dirtyHTML);

HTML Purifier config options can be set through set() before calling purify(). The module creates a dedicated cache directory automatically and registers HTML5 definitions for <figure> and <figcaption>.

Expand all      API reference

Methods

purify($html)

Purify the given HTML string and return sanitized HTML.

$dirty = '<p onclick="alert(\'xss\')">Hello</p>';
$clean = $purifier->purify($dirty); // <p>Hello</p>
ParameterTypeDescription
$htmlstringHTML to sanitize
ReturnsstringSanitized HTML

set($key, $value)

Set an HTML Purifier configuration option or a WireData property.

If $key contains a dot, it is forwarded to HTML Purifier's config. Any other key is stored as a regular WireData property. Changing an HTML Purifier setting clears the cached purifier instance so the new value takes effect on the next purify() call.

$purifier->set('HTML.Allowed', 'p,b,a[href]');
$purifier->set('AutoFormat.AutoParagraph', true);
$purifier->set('Core.Encoding', 'ISO-8859-1');
ParameterTypeDescription
$keystringConfig key; dotted keys are HTML Purifier settings
$valuemixedValue to set
Returns$thisReturns the purifier instance for method chaining

get($key)

Get an HTML Purifier configuration option or a WireData property.

If $key contains a dot, the value is read from HTML Purifier's config; otherwise the parent WireData get() behavior is used.

$encoding = $purifier->get('Core.Encoding');
ParameterTypeDescription
$keystringConfig or property key
ReturnsmixedThe current value, or null if not set

getConfig()

Return the underlying HTMLPurifier_Config instance.

$config = $purifier->getConfig();
$config->set('HTML.Allowed', 'p,b,strong,em,i');

| Returns | \HTMLPurifier_Config |

getDef()

Return the raw HTML definition object (HTMLPurifier_HTMLDefinition) used to register custom elements and attributes. This is only available after init() has run, which happens automatically when the module is loaded.

$def = $purifier->getDef();
if($def) {
    $def->addAttribute('a', 'data-ext', 'Text');
}

| Returns | \HTMLPurifier_HTMLDefinition|null |

getPurifier()

Return the cached HTMLPurifier instance, creating it on first call.

$htmlpurifier = $purifier->getPurifier();
$clean = $htmlpurifier->purify($html);

| Returns | \HTMLPurifier |

clearCache()

Remove all cached HTML Purifier serializer files.

$purifier->clearCache();

| Returns | void |

Hooks

MarkupHTMLPurifier extends WireData and inherits its hooks. The following hook is commonly used to customize the HTML Purifier configuration.

HookWhenArguments
MarkupHTMLPurifier::initConfigAfter default config and HTML definition are set, before the purifier is created$settings (\HTMLPurifier_Config), $def (\HTMLPurifier_HTMLDefinition)
$wire->addHookAfter('MarkupHTMLPurifier::initConfig', function(HookEvent $event) {
    $settings = $event->arguments(0); /** @var \HTMLPurifier_Config $settings */
    $def = $event->arguments(1); /** @var \HTMLPurifier_HTMLDefinition $def */
    $def->addAttribute('a', 'data-download', 'Text');
});
Notes
  • Access the module through $modules->get('MarkupHTMLPurifier').
  • For the full list of HTML Purifier configuration options, see htmlpurifier.org/live/configdoc/plain.html.
  • The module defaults to UTF-8 encoding, allows nofollow, noopener, and noreferrer in rel attributes, and registers <figure> and <figcaption> elements.
  • Extends WireData and implements Module.
  • Source file: wire/modules/Markup/MarkupHTMLPurifier/MarkupHTMLPurifier.module

API reference: methods

USAGE:

$purifier = $modules->get('MarkupHTMLPurifier'); $cleanHTML = $purifier->purify($dirtyHTML);

To specify custom settings to HTML Purifier, perform set() calls before calling purify(). For example, UTF-8 encoding is assumed, so if you wanted ISO-8859-1 instead, you'd do:

$purifier->set('Core.Encoding', 'ISO-8859-1');

For a full list of HTML Purifier config options, see:

HTML Purifier by: http://htmlpurifier.org


Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the MarkupHTMLPurifier class also inherits all the methods and properties of: WireData and Wire.

Show class?     Show args?       Only hookable?    

Additional methods and properties

In addition to the methods and properties above, MarkupHTMLPurifier also inherits the methods and properties of these classes:

API reference based on ProcessWire core version 3.0.269