Adding 3rd-party plugin disclaimer.
[htmlpurifier-web.git] / index.xhtml
blob43752c2701acbafd02a45e573da499345c8e9967
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4 <html
5 xmlns="http://www.w3.org/1999/xhtml"
6 xmlns:xi="http://www.w3.org/2001/XInclude"
7 xmlns:xc="urn:xhtml-compiler"
8 xmlns:svn="urn:xhtml-compiler:Subversion"
9 svn:head-url="$HeadURL$"
10 svn:revision="$Revision$"
11 xc:rss-from-svn="yes"
12 xml:lang="en">
13 <head>
14 <title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
15 <xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
16 <meta name="description"
17 content="HTML filter that guards against XSS and ensures standards-compliant output." />
18 <meta name="keywords"
19 content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
20 <!-- See news.xhtml for definition -->
21 <link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
22 <script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
23 </head>
24 <body>
26 <div id="branding">
27 <h1>
28 <span class="html">HTML</span>
29 <span class="purifier">Purifier</span>
30 </h1>
31 <blockquote>
32 <p>
33 Standards-Compliant HTML Filtering
34 </p>
35 </blockquote>
36 </div>
38 <xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />
40 <div id="summary">
41 <h2>Summary</h2>
42 <div id="summary-safe">
43 <h3>Safe</h3>
44 <p>
45 HTML Purifier defeats XSS with an audited whitelist
46 </p>
47 </div>
48 <div id="summary-clean">
49 <h3>Clean</h3>
50 <p>
51 HTML Purifier ensures standards-compliant output
52 </p>
53 </div>
54 <div id="summary-open">
55 <h3>Open</h3>
56 <p>
57 HTML Purifier is open-source and highly customizable
58 </p>
59 </div>
60 </div>
62 <div id="intro">
63 <p><strong>HTML Purifier</strong> is a standards-compliant
64 <abbr>HTML</abbr> filter library written in
65 <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious
66 code (better known as <abbr>XSS</abbr>) with a thoroughly audited,
67 secure <em>yet</em> permissive <strong><a
68 href="live/smoketests/printDefinition.php">whitelist</a></strong>,
69 it will also make sure your documents are
70 <strong>standards compliant</strong>, something only achievable with a
71 comprehensive knowledge of <abbr>W3C</abbr>'s specifications.
72 Tired of using BBCode due to the current landscape of deficient or
73 insecure <abbr>HTML</abbr> filters? Have a
74 <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking
75 for high-quality, standards-compliant, open-source components for that
76 application you're building? HTML Purifier is for you!</p>
78 <div class="notice">
79 <p>
80 HTML Purifier celebrates its <strong>2.0</strong> release! Read more
81 about it at <a href="news/2.0.0-released.html">2.0.0 Released</a>.
82 </p>
83 </div>
85 <blockquote class="fancy">
86 <div class="quote">
87 I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
88 filtering emails against XSS attacks and we've been more than impressed.
89 </div>
90 <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
91 </blockquote>
93 <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
95 </div>
97 <div id="content">
99 <h2 id="Background">Background</h2>
101 <p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
102 there on the web already
103 (i.e. <acronym>PEAR</acronym>'s
104 <a href="http://pear.php.net/package/HTML_Safe">HTML_Safe</a>,
105 <a href="http://sourceforge.net/projects/kses">kses</a>
107 <a href="http://simon.incutio.com/archive/2003/02/23/safeHtmlChecker">
108 SafeHtmlChecker.class.php</a>). What sets HTML Purifier apart from them?
109 Aren't all of these choices <q>secure</q>?</p>
111 <p>When it comes to <abbr>HTML</abbr>, <strong>attention to
112 detail</strong> is key. Does the library demonstrate an in-depth
113 knowledge of the <abbr>DTD</abbr> that defines
114 <abbr>HTML</abbr>? Does it perform its filtering off a robust
115 whitelist rather than a usually out-dated blacklist? Does it go through
116 the care to check every single attribute in the document for validity?
117 Does it actually understand tag markup, or pay lip-service with a series
118 of deficient regexes and str_replace's?</p>
120 <p>Somewhere along the way, all of HTML Purifier's predecessors fall
121 flat. HTML_Safe dooms itself to attacks of the future by using a
122 blacklist. Configurable filters like kses and PHP Input Filter still
123 cannot validate the contents inside attributes. With all these gaps in
124 coverage, none of the usual libraries come close to achieving
125 <strong>standards-compliance</strong>. There is a user-unfriendly,
126 draconic <abbr>XML</abbr>-based filter called Safe HTML Checker,
127 but even it forgets that <code>&lt;a&gt;</code> tags cannot be nested
128 within each other!</p>
130 <p><strong>Know thy enemy.</strong> Wily hackers have a huge arsenal of
131 <abbr>XSS</abbr> hidden within the depths of the
132 <abbr>HTML</abbr> specification. HTML Purifier takes its
133 effectiveness from the fact that it will decompose the whole document
134 into tokens, and rigorously process the tokens by removing
135 non-whitelisted elements, transforming bad practice tags like font into
136 span, properly checking the nesting of tags and their children and
137 validating all attributes according to their <abbr>RFC</abbr>s.
138 HTML Purifier's comprehensive algorithms are complemented by a
139 <strong>breadth of knowledge</strong>, ensuring that richly formatted
140 documents pass through unstripped.</p>
142 <p>To my knowledge, there is nothing else in the wild that offers
143 protection from <abbr>XSS</abbr>, standards-compliance, and the
144 corrective processing of poorly formed <abbr>HTML</abbr>
145 simultaneously. Don't take my word for it though:
146 do your research. Investigate the other libraries, and decide for
147 yourself who you would prefer to be the <strong>gatekeeper</strong> to
148 your system.</p>
150 <p>To find out more, you can read the
151 <a href="comparison.html"><strong>Comparison</strong></a>
152 for a play-by-play analysis of the major filter libraries currently
153 out there.</p>
155 <blockquote class="fancy">
156 <div class="quote">
157 [Y]ou save my day by allowing me not to write another damned HTML parser.
158 </div>
159 <div class="origin">
160 &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
161 </div>
162 </blockquote>
164 <h2 id="Plugins">Plugins</h2>
166 <p>HTML Purifier is a great library to integrate with existing
167 <abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
168 editors. Currently, we have plugins for these applications:</p>
170 <ul>
171 <li><a href="http://www.phorum.org/phorum5/read.php?16,122766">Phorum</a> (in use at our very own forums!)</li>
172 <li><a href="http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt">MODx</a></li>
173 <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
174 <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress</a> by John Godley</li>
175 </ul>
178 <strong>Warning:</strong> It has
179 come to my attention that some of these plugins may be insecure.
180 Any plugin provided by a third party has not been vetted by us: use
181 them at your own risk. I am confident that HTML Purifier works properly,
182 so any problems should
183 be resolved with the respective authors of the plugin.
184 </p>
186 <blockquote class="fancy">
187 <div class="quote">
188 This plugin is on top of my favorite list[.] I am going to heavily
189 depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
190 having pages that validate and are semantically sound.
191 </div>
192 <div class="origin">
193 &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
194 </div>
195 </blockquote>
197 <p>Plugins for other major applications gladly accepted!</p>
201 <h2 id="Docs">Documentation</h2>
202 <ul>
203 <li><strong><a href="docs/">End-User
204 Documentation</a></strong> &mdash; In-depth documents on how to get
205 the most out of HTML Purifier.</li>
206 <li><a href="http://htmlpurifier.org/phorum/">Support Forum</a> &mdash; Talk about all things
207 HTML Purifier.</li>
208 <li><a href="live/smoketests/printDefinition.php">Print
209 Definition</a> &mdash; If you want to actually see what HTML Purifier's
210 filtering rules are, look no further than to this page. You can even
211 experiment with the configuration to see how things respond to different
212 directives.</li>
213 <li><a href="live/smoketests/xssAttacks.php"><abbr>XSS</abbr>
214 Attacks Smoketest</a> &mdash; Tests how well HTML Purifier fares
215 against RSnake's famous cheatsheet of <abbr>XSS</abbr> attacks.</li>
216 <li><a href="live/TODO">Roadmap</a>
217 &mdash; Subject to lots of delays, but it's a glimpse of the future</li>
218 <li><a href="live/art/">Artwork</a>
219 &mdash; Extra media goodies.</li>
220 <li><a href="live/configdoc/plain.html">Configuration
221 documentation</a> &mdash; See the <code>INSTALL</code> document on how to
222 configure your HTML Purifier installation.</li>
223 <li><a href="http://htmlpurifier.org/doxygen/html/">Doxygen-generated
224 Documentation</a> &mdash; No class left undocumented! Cross-referenced
225 code! A must-read for any prospective HTML Purifier hacker.
226 (close by, <a href="http://htmlpurifier.org/phpdoc/">PHPDoc-generated
227 Documentation.</a>)</li>
228 </ul>
230 <h2 id="Propaganda">Spread the Word!</h2>
232 <p>Help spread awareness about HTML Purifier by:</p>
234 <ul>
235 <li><a
236 href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
237 id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
238 <li>
239 <div>Including this little <strong>label</strong> on your website:
240 <a href="http://htmlpurifier.org/"><img
241 src="live/art/powered.png"
242 alt="Powered by HTML Purifier" border="0" /></a>, with this code:
243 </div>
244 <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
245 src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
246 alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
247 </li>
248 </ul>
250 </div>
252 </body>
253 </html>