Safely encode content for rendering in an HTML document.

0.2.0 2016-08-12 00:42 UTC

This package is auto-updated.

Last update: 2020-05-25 02:06:36 UTC


Scrutinizer Code Quality Code Coverage Build Status



Safely encode content for rendering in an HTML document.

Brief XSS Mitigation Guide

A quote from (Paragon Initiative's blog)[https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know]:

  1. If your framework has a templating engine that offers automatic contextual filtering, use that.
  2. echo htmlentities($string, ENT_QUOTES | ENT_HTML5, 'UTF-8'); is a safe and effective way to stop all XSS attacks on a UTF-8 encoded web page, but doesn't allow any HTML.
  3. If your requirements allow you to use Markdown instead of HTML, don't use HTML.
  4. If you need to allow some HTML and aren't using a templating engine (see #1), use HTML Purifier.


composer require abacaphiliac/php-no-html


The following code is an example of an XSS exploit:

$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=$value;?>" /><?php

Simply escape the value in the response to prevent the exploit:

$userName = 'Bob"/><script>alert('XSS');</script>';
?><input name="UserName" value="<?=\NoHtml\NoHtml::filter($value);?>" /><?php


See composer.json.


composer update && vendor/bin/phing

This library attempts to comply with PSR-1, PSR-2, and PSR-4. If you notice compliance oversights, please send a patch via pull request.