MarkupHTMLPurifier
Front-end to the HTML Purifier library, providing standards-compliant HTML sanitization and validation for ProcessWire
It removes malicious code (XSS) via a secure whitelist and ensures documents are standards-compliant.
$purifier = $modules->get('MarkupHTMLPurifier');
$cleanHTML = $purifier->purify($dirtyHTML); HTML Purifier config options can be set through set() before calling purify(). The module creates a dedicated cache directory automatically and registers HTML5 definitions for <figure> and <figcaption>.
Expand all Collapse all API reference
purify($html)
Purify the given HTML string and return sanitized HTML.
$dirty = '<p onclick="alert(\'xss\')">Hello</p>';
$clean = $purifier->purify($dirty); // <p>Hello</p>| Parameter | Type | Description |
|---|---|---|
$html | string | HTML to sanitize |
| Returns | string | Sanitized HTML |
set($key, $value)
Set an HTML Purifier configuration option or a WireData property.
If $key contains a dot, it is forwarded to HTML Purifier's config. Any other key is stored as a regular WireData property. Changing an HTML Purifier setting clears the cached purifier instance so the new value takes effect on the next purify() call.
$purifier->set('HTML.Allowed', 'p,b,a[href]');
$purifier->set('AutoFormat.AutoParagraph', true);
$purifier->set('Core.Encoding', 'ISO-8859-1');| Parameter | Type | Description |
|---|---|---|
$key | string | Config key; dotted keys are HTML Purifier settings |
$value | mixed | Value to set |
| Returns | $this | Returns the purifier instance for method chaining |
get($key)
Get an HTML Purifier configuration option or a WireData property.
If $key contains a dot, the value is read from HTML Purifier's config; otherwise the parent WireData get() behavior is used.
$encoding = $purifier->get('Core.Encoding');| Parameter | Type | Description |
|---|---|---|
$key | string | Config or property key |
| Returns | mixed | The current value, or null if not set |
getConfig()
Return the underlying HTMLPurifier_Config instance.
$config = $purifier->getConfig();
$config->set('HTML.Allowed', 'p,b,strong,em,i');| Returns | \HTMLPurifier_Config |
getDef()
Return the raw HTML definition object (HTMLPurifier_HTMLDefinition) used to register custom elements and attributes. This is only available after init() has run, which happens automatically when the module is loaded.
$def = $purifier->getDef();
if($def) {
$def->addAttribute('a', 'data-ext', 'Text');
}| Returns | \HTMLPurifier_HTMLDefinition|null |
getPurifier()
Return the cached HTMLPurifier instance, creating it on first call.
$htmlpurifier = $purifier->getPurifier();
$clean = $htmlpurifier->purify($html);| Returns | \HTMLPurifier |
clearCache()
Remove all cached HTML Purifier serializer files.
$purifier->clearCache();| Returns | void |
Markup extends WireData and inherits its hooks. The following hook is commonly used to customize the HTML Purifier configuration.
| Hook | When | Arguments |
|---|---|---|
Markup | After default config and HTML definition are set, before the purifier is created | $settings (\HTMLPurifier_Config), $def (\HTMLPurifier_HTMLDefinition) |
$wire->addHookAfter('MarkupHTMLPurifier::initConfig', function(HookEvent $event) {
$settings = $event->arguments(0); /** @var \HTMLPurifier_Config $settings */
$def = $event->arguments(1); /** @var \HTMLPurifier_HTMLDefinition $def */
$def->addAttribute('a', 'data-download', 'Text');
}); - Access the module through
$modules->get('Markup.H T M L Purifier') - For the full list of HTML Purifier configuration options, see htmlpurifier.org/live/configdoc/plain.html.
- The module defaults to UTF-8 encoding, allows
nofollow,noopener, andnoreferrerinrelattributes, and registers<figure>and<figcaption>elements. - Extends WireData and implements
Module. - Source file:
wire/modules/Markup/MarkupH T M L Purifier/Markup H T M L Purifier.module
API reference: methods
USAGE:
$purifier = $modules->get('Markup To specify custom settings to HTML Purifier, perform set()
calls before calling purify(). For example, UTF-8 encoding
is assumed, so if you wanted ISO-8859-1 instead, you'd do: $purifier->set('Core.Encoding', 'ISO-8859-1'); For a full list of HTML Purifier config options, see: HTML Purifier by: http://htmlpurifier.org Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the In addition to the methods and properties above, MarkupMarkup class also inherits all the methods and properties of: WireData and Wire.Common
Additional methods and properties
API reference based on ProcessWire core version 3.0.269