Release 4.10.0

[htmlpurifier-web.git] / index.xhtml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
  xmlns="http://www.w3.org/1999/xhtml"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xc="urn:xhtml-compiler"
  xmlns:news="urn:xhtml-compiler:News"
  xc:rss-from-git="yes"
  xml:lang="en">
<head>
<title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
<xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
<meta name="description"
  content="HTML filter that guards against XSS and ensures standards-compliant output." />
<meta name="keywords"
  content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
<!-- See news.xhtml for definition -->
<link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
<script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
<!-- OpenID for Edward Z. Yang -->
<link rel="openid.server" href="https://pip.verisignlabs.com/server" />
<link rel="openid.delegate" href="http://edwardzyang.pip.verisignlabs.com/" />
<!-- Google OpenSearch -->
<link rel="search" href="opensearchdescription.xml"
  type="application/opensearchdescription+xml"
  title="HTML Purifier" />
</head>
<body>

<div id="branding">
  <h1>
    <span class="html">HTML</span>
    <span class="purifier">Purifier</span>
  </h1>
  <blockquote>
    <p>
      Standards-Compliant HTML Filtering
    </p>
  </blockquote>
</div>

<xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />

<div id="main">
<div id="content">

<div id="summary">
  <h2>Summary</h2>
  <div id="summary-safe">
    <h3>Safe</h3>
    <p>
      HTML Purifier defeats XSS with an audited whitelist
    </p>
  </div>
  <div id="summary-clean">
    <h3>Clean</h3>
    <p>
      HTML Purifier ensures standards-compliant output
    </p>
  </div>
  <div id="summary-open">
    <h3>Open</h3>
    <p>
      HTML Purifier is open-source and highly customizable
    </p>
  </div>
</div>

<div id="intro">
  <p><strong>HTML Purifier</strong> is a standards-compliant 
  <abbr>HTML</abbr> filter library written in 
  <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious 
  code (better known as <abbr>XSS</abbr>) with a thoroughly audited, 
  secure <em>yet</em> permissive <strong><a 
  href="live/smoketests/printDefinition.php">whitelist</a></strong>,
  it will also make sure your documents are 
  <strong>standards compliant</strong>, something only achievable with a 
  comprehensive knowledge of <abbr>W3C</abbr>'s specifications. 
  Tired of using BBCode due to the current landscape of deficient or 
  insecure <abbr>HTML</abbr> filters? Have a 
  <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking 
  for high-quality, standards-compliant, open-source components for that 
  application you're building? HTML Purifier is for you!</p> 
  
  <blockquote class="fancy">
  <div class="quote">
      I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
      filtering emails against XSS attacks and we've been more than impressed.
  </div>
  <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
  </blockquote>
  
  <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
  
</div>

<div class="clear">

<div id="BackgroundContainer">
  <h2 id="Background">Background</h2>

  <p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
  there on the web already.  What sets HTML Purifier apart from them?
  Aren't all of these choices <q>secure</q>?</p>

  <p>When it comes to <abbr>HTML</abbr>, <strong>attention to 
  detail</strong> is key. Does it perform its filtering off a  
  whitelist rather than an out-of-date blacklist? Does it filter every
  attribute in the document? Does it actually understand <abbr>HTML</abbr>?</p> 

  <p><strong>Know thy enemy.</strong> Hackers have a huge arsenal of 
  <abbr>XSS</abbr> vectors hidden within the depths of the 
  <abbr>HTML</abbr> specification. HTML Purifier is
  effective because it decomposes the whole document 
  into tokens and removing 
  non-whitelisted elements, checking the well-formedness and nesting of tags, and 
  validating all attributes according to their <abbr>RFC</abbr>s. 
  HTML Purifier's comprehensive algorithms are complemented by a 
  <strong>breadth of knowledge</strong>, ensuring that richly formatted 
  documents pass through unstripped.</p> 

  <p>To my knowledge, there is nothing else in the wild that offers 
  protection from <abbr>XSS</abbr>, standards-compliance, and
  corrective processing of poorly formed <abbr>HTML</abbr>.  HTML
  Purifier is not perfect; it can interact poorly with existing
  JavaScript on websites, which can introduces vulnerabilities after the
  fact.  However, it is pretty damn good.
  Do your research and try out the <a href="demo.php">demo</a>.</p> 

  <p>To find out more, you can read the
  <a href="comparison"><strong>Comparison</strong></a>
  for a analysis of HTML Purifier and the other major filters.  Or you
  can chat with other HTML Purifier users on our
  <a href="http://groups.google.com/group/htmlpurifier">mailing
  list</a> and our <a href="phorum">forum</a>.</p>

  <blockquote class="fancy">
  <div class="quote">
      [Y]ou save my day by allowing me not to write another damned HTML parser.
  </div>
  <div class="origin">
      &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
  </div>
  </blockquote>
</div>

<div id="NewsContainer">
  <h2 id="News">Recent News</h2>

  <div class="news" news:source="news" news:limit="1" news:header="h3" />

  <p>
    <a href="news">Read earlier news...</a>
  </p>
</div>

</div>

<div class="clear"></div>

<h2 id="Ports">Ports</h2>

<p>HTML Purifier has been <a href="https://github.com/Mynigma/HTMLPurifier">partially ported to Objective C</a> by Roman Priebe and Lukas Neumann.</p>

<h2 id="Plugins">Plugins</h2>

<p>HTML Purifier is a great library to integrate with existing
<abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
editors.  Currently, we have plugins for these applications:</p>

<ul>
    <li><a href="http://www.phorum.org/phorum5/read.php?62,127035">Phorum</a> (in use at our very own forums!)</li>
    <li><a href="http://htmlpurifier.org/dev/plugins/modx.txt">MODx</a></li>
    <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
    <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress and bbPress</a> by John Godley</li>
    <li><a href="http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla</a> by Double D</li>
    <li><a href="https://github.com/refringe/codeigniter-htmlpurifier">CodeIgniter</a> by Tyler Brownell (there is also an older plugin <a href="http://mindloop.be/htmlpurifier-and-the-codeigniter-framework/">CodeIgniter</a> by Andy Mathijs)</li>
    <li><a href="http://www.symfony-project.org/plugins/sfXssSafePlugin">Symfony</a> by Alexandre Mogère</li>
    <li><a href="http://github.com/josegonzalez/purifiable">CakePHP</a> by Jose Diaz-Gonzalez</li>
    <li><a href="http://nemesisdesign.net/blog/coding/html-purifier-plugin-joomla/">Joomla</a> by Federico Capoano</li>
    <li><a href="https://github.com/harikt/li3_htmlpurifier">Lithium</a> by Hari K T</li>
    <li><a href="http://community.elgg.org/pg/plugins/project/725191/developer/ewinslow/html-purifier-for-elgg-18">Elgg</a> by Evan Winslow</li>
    <li><a href="http://addons.silverstripe.org/add-ons/zirak/htmlpurifier">SilverStripe CMS</a> by Gabriele Brosulo</li>
</ul>

<p>
    HTML Purifier is also now in print! Martin Brampton's new book
    <a href="http://packt.aliro.org/">PHP 5 CMS Framework Development</a>
    includes a discussion of using HTML Purifier in your content management
    system. Go check it out!
</p>

<p>
    <strong>Notice:</strong>
    Any plugin provided by a third party has not been vetted by us: use
    them at your own risk. If you are having a problem with the plugin,
    please consult the plugin author before asking for help here (we'll
    be more than happy to help, but it might be a problem with the 
    plugin rather than HTML Purifier.)
</p>

<blockquote class="fancy">
<div class="quote">
    This plugin is on top of my favorite list[.] I am going to heavily
    depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
    having pages that validate and are semantically sound.
</div>
<div class="origin">
    &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
</div>
</blockquote>

<p>Plugins for other major applications gladly accepted!</p>


<h2 id="Propaganda">Spread the Word!</h2>

<p>Help spread awareness about HTML Purifier by:</p>

<ul>
<li><a
href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
<li>
    <div>Including this little <strong>label</strong> on your website:
    <a href="http://htmlpurifier.org/"><img
    src="live/art/powered.png"
    alt="Powered by HTML Purifier" border="0" /></a>, with this code:
    </div>
    <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
</li>
</ul>

</div>
</div>

</body>
</html>