README

Laravel HTML Sanitizer

This Laravel package provides a simple wrapper around the Symfony HTML Sanitizer to safely clean untrusted HTML. It strips scripts, inline event handlers, and Alpine attributes while keeping the presentational subset (headings, lists, tables, code blocks, images, links) that rendered Markdown and READMEs need. The package is easy to install and configure, seamlessly integrating with your existing Laravel application.

Installation

You can install the package via composer:

composer require jeffersongoncalves/laravel-html-sanitizer

Usage

Pass any untrusted HTML through HtmlSanitizer::clean() before rendering it:

use JeffersonGoncalves\HtmlSanitizer\HtmlSanitizer;

$dirty = '<p>Hello</p><script>alert("xss")</script><img src="x" onerror="steal()">';

$clean = HtmlSanitizer::clean($dirty);
// <p>Hello</p><img src="x">

The sanitizer:

• drops <script>, <style> and every event-handler attribute (onerror, onclick, ...);
• strips Alpine x-* attributes;
• keeps the safe presentational subset: headings, lists, tables, code blocks, images and links;
• allows relative links/medias and the https, http, mailto link schemes (plus data for media);
• preserves class/id attributes (for heading permalinks, code-language hints and table wrappers) and width/height on <img>.

It is intended for rendered HTML that originated from untrusted sources — GitHub READMEs of third-party repos and the Markdown body of imported articles — where raw HTML is enabled during rendering.

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

• Jèfferson Gonçalves
• All Contributors

License

The MIT License (MIT). Please see License File for more information.