Test commit.

[htmlpurifier-web.git] / index.xhtml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:rss="urn:xhtml-compiler:RSSGenerator"
      xml:lang="en" lang="en">
<head>
<title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="description" content="HTML filter that guards against XSS and ensures standards-compliant output." />
<meta name="keywords" content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
<meta name="author" content="Edward Z. Yang" />
<link rel="icon" href="favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /> 
<link rel="stylesheet" href="style.css" type="text/css" />
<link rel="alternate" type="application/rss+xml"
      title="News - HTML Purifier" href="news.rss"
      rss:for="news-container"
      rss:description="Recent news and updates on HTML Purifier" />
<!--[if lt IE 7.]><script defer="defer" type="text/javascript" src="pngfix.js"></script><![endif]-->
<script defer="defer" type="text/javascript" src="del.icio.us.js"></script>
<script defer="defer" type="text/javascript" src="switch2post.js"></script>
</head>
<body>

<img src="logo.png" id="logo" alt="HTML Purifier" />
<h1 id="header"><span class="html">HTML</span>
<span class="purifier">Purifier</span></h1>

<div id="navigation">
    <h2>Navigation</h2>
    <ol>
        <li><a href="#News">News</a></li>
        <li><a href="#Plugins">Plugins</a></li>
        <li><a href="#Demo">Demo</a></li>
        <li><strong><a href="#Download">Download</a></strong></li>
        <li><a href="#Resources">Resources</a></li>
        <li><a href="phorum/">Forum</a></li>
        <li><a href="#Contact">Contact</a></li>
    </ol>
</div>

<div id="content">

<a href="#Download"><img src="download.png" class="download-button" alt="Download HTML Purifier" /></a>

<p class="lead"><strong>HTML Purifier</strong> is a standards-compliant 
<acronym>HTML</acronym> filter library written in 
<acronym>PHP</acronym>. HTML Purifier will not only remove all malicious 
code (better known as <acronym>XSS</acronym>) with a thoroughly audited, 
secure <em>yet</em> permissive <strong><a 
href="http://hp.jpsband.org/live/smoketests/printDefinition.php">whitelist</a></strong>,
it will also make sure your documents are 
<strong>standards compliant</strong>, something only achievable with a 
comprehensive knowledge of <acronym>W3C</acronym>'s specifications. 
Tired of using BBCode due to the current landscape of deficient or 
insecure <acronym>HTML</acronym> filters? Have a 
<strong>WYSIWYG</strong> editor but never been able to use it? Looking 
for high-quality, standards-compliant, open-source components for that 
application you're building? HTML Purifier is for you!</p> 

<blockquote class="fancy">
<div class="quote">
    I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
    filtering emails against XSS attacks and we've been more than impressed.
</div>
<div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
</blockquote>

<h2 id="Background">Background</h2>

<p class="lead">There are a number of open-source <acronym>HTML</acronym> filtering solutions out
there on the web already
(i.e. <acronym>PEAR</acronym>'s
<a href="http://pear.php.net/package/HTML_Safe">HTML_Safe</a>,
<a href="http://sourceforge.net/projects/kses">kses</a>
and
<a href="http://simon.incutio.com/archive/2003/02/23/safeHtmlChecker">
SafeHtmlChecker.class.php</a>).  What sets HTML Purifier apart from them?
Aren't all of these choices <q>secure</q>?</p>

<p>When it comes to <acronym>HTML</acronym>, <strong>attention to 
detail</strong> is key. Does the library demonstrate an in-depth 
knowledge of the <acronym>DTD</acronym> that defines 
<acronym>HTML</acronym>? Does it perform its filtering off a robust 
whitelist rather than a usually out-dated blacklist? Does it go through 
the care to check every single attribute in the document for validity? 
Does it actually understand tag markup, or pay lip-service with a series 
of deficient regexes and str_replace's?</p> 

<p>Somewhere along the way, all of HTML Purifier's predecessors fall 
flat. HTML_Safe dooms itself to attacks of the future by using a 
blacklist. Configurable filters like kses and PHP Input Filter still 
cannot validate the contents inside attributes. With all these gaps in 
coverage, none of the usual libraries come close to achieving 
<strong>standards-compliance</strong>. There is a user-unfriendly, 
draconic <acronym>XML</acronym>-based filter called Safe HTML Checker, 
but even it forgets that <code>&lt;a&gt;</code> tags cannot be nested 
within each other!</p> 

<p><strong>Know thy enemy.</strong> Wily hackers have a huge arsenal of 
<acronym>XSS</acronym> hidden within the depths of the 
<acronym>HTML</acronym> specification. HTML Purifier takes its 
effectiveness from the fact that it will decompose the whole document 
into tokens, and rigorously process the tokens by removing 
non-whitelisted elements, transforming bad practice tags like font into 
span, properly checking the nesting of tags and their children and 
validating all attributes according to their <acronym>RFC</acronym>s. 
HTML Purifier's comprehensive algorithms are complemented by a 
<strong>breadth of knowledge</strong>, ensuring that richly formatted 
documents pass through unstripped.</p> 

<a href="comparison.html"><img src="compare.png" class="compare-button" alt="Compare HTML Purifier with other filters" /></a>

<p>To my knowledge, there is nothing else in the wild that offers 
protection from <acronym>XSS</acronym>, standards-compliance, and the
corrective processing of poorly formed <acronym>HTML</acronym>
simultaneously. Don't take my word for it though: 
do your research. Investigate the other libraries, and decide for 
yourself who you would prefer to be the <strong>gatekeeper</strong> to 
your system.</p> 

<p>To find out more, you can read the
<a href="comparison.html"><strong>Comparison</strong></a>
for a play-by-play analysis of the major filter libraries currently
out there.</p>

<blockquote class="fancy">
<div class="quote">
    [Y]ou save my day by allowing me not to write another damned HTML parser.
</div>
<div class="origin">
    &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
</div>
</blockquote>


<h2 id="News">News</h2>

<div id="news-container" class="news">

<div class="item" id="news-rss-feed">
    <h3 class="title"><acronym>RSS</acronym> feed!</h3>
    <div class="date">Sat, 17 March 2007 5:42:12 EDT</div>
    
    <div class="body">
    <p class="lead">We have a shiny new <acronym>RSS</acronym> feed
    at <a href="news.rss">news.rss</a>, which is hooked up to this
    news feed. Subscribe for release notifications as well as random
    news about HTML Purifier.</p>
    </div>
</div>

<div class="item" id="news-status-on-api">
    <h3 class="title">Status on 1.5 and the Advanced <acronym>API</acronym></h3>
    <div class="date">Wed, 14 March 2007 5:31:46 EDT</div>
    
    <div class="body">
    <p class="lead">Quick update on the status of version 1.5. The flagship
    new feature of this release is to be an advanced system for selecting
    and creating elements and attributes. You can view the <a
    href="http://hp.jpsband.org/live/docs/dev-advanced-api.html">projected
    advanced <acronym>API</acronym> here</a>.</p>

    <p>If you actually took the time out to scan the document, you may notice
    that its incomplete. This is a very big problem. I am slowly grinding
    away at the details, but any suggestions and comments would be
    greatly appreciated. You can post anything you want to see in the 
    <a href="http://hp.jpsband.org/phorum/list.php?2">general forums</a>.</p>    
    </div>
</div>

<div class="item" id="news-utf8-tutorial">
    <h3 class="title"><acronym>UTF-8</acronym> Tutorial</h3>
    <div class="date">Sat, 27 Jan 2007 13:30:56 EST</div>
    
    <div class="body">
    <p class="lead">Here's a tutorial on <a 
    href="http://hp.jpsband.org/live/docs/enduser-utf8.html">HTML Purifier 
    and <acronym>UTF-8</acronym> character encoding issues</a>. It discusses 
    how to figure out your character encoding, why you should 
    <acronym>UTF-8</acronym>, and how to migrate (should you choose to do 
    so). </p> 
    </div>
</div>

<div class="item" id="news-1.4.1-released">
    <h3 class="title">HTML Purifier 1.4.1 released</h3>
    <div class="date">Sun, 21 Jan 2007 17:18:01 EST</div>
    
    <div class="body">
    <blockquote>This release supersedes the 1.4.0 release
    on the same day. </blockquote>

    <p class="lead">1.4.1 major feature release available today.
    The goodies: </p>

    <ul>
        <li><strong><acronym>PHP</acronym>5 E_STRICT mode
            supported.</strong> See download section for alternate
            package.</li>
        <li><strong>CSS properties 'list-style-image', 'background-image',
            'background-repeat', 'background-attachment' and
            'background-position' implemented</strong>. </li>
        <li>You can now use %Core.EscapeNonASCIICharacters to workaround
            HTML Purifier's tendency to remove all characters that an
            encoding does not support. This does not apply to users who
            have stayed with <acronym>UTF-8</acronym>. </li>
        <li>YouTube preservation code is now part of the core. You can see
            an example at <a
            href="http://hp.jpsband.org/svnroot/htmlpurifier/trunk/smoketests/preserveYouTube.php">smoketests/preserveYouTube.php</a>.
        </li>
        <li>You can now create a configuration object from an
            <acronym>INI</acronym> file using
            <code>HTMLPurifier_Config::create( $ini_filename );</code> </li>
    </ul>

    <p class="lead">There were also a one fixed bug, where HTML Purifier
    would stop working if <acronym>PHP</acronym>5 did not have
    <acronym>DOM</acronym> installed. See <a
    href="http://hp.jpsband.org/svnroot/htmlpurifier/tags/1.4.1/NEWS">News</a>
    for a complete changelog. </p>

    <p>Future work will cover implementing deprecated attributes and letting
    users preserve them rather than transform them into the
    <acronym>CSS</acronym> equivalents as well as error logging and
    <acronym>XSS</acronym> attempt detection. </p>
    </div>
</div>

<div class="item" id="news-teracc-review">
    <h3 class="title">Japanese Review</h3>
    <div class="date">Sun, 07 Jan 2007 13:55:01 EST</div>
    
    <div class="body">
    <p class="lead">Japanese users may want to check out
    <a href="http://d.hatena.ne.jp/teracc/20070105">teracc's post on HTML
    Purifier.</a> Provides a very good overview of the library, especially
    if English is not your best language. </p>

    <p>teracc raises some very important objections about the library,
    including the inability of HTML Purifier to accept table attributes
    designating things like color and width, tabindex and accesskey for
    a tags, and the background-image <acronym>CSS</acronym> key. HTML
    Purifier also cannot accept non-<acronym>ASCII</acronym> characters
    in font-names. </p>

    <p>The two main disadvantages, the post concludes, are that HTML
    Purifier ignores non-standard <acronym>HTML</acronym> rather than
    refusing them (as well as the fact that it really isn't validating to
    the specification, it's using a more restrictive specification) and
    that <acronym>CPU</acronym>/memory usage by the library is high. </p>

    <p>These notes are all correct. Here are some replies: </p>

    <ul>
        <li>Table attributes: they're deprecated, so they're not terribly
            high priority for me to implement, but I understand they are
            commonly used and will move to implement them. </li>
        <li>tabindex and accesskey: dangerous <acronym>UI</acronym>
            attributes that I specifically decided not to allow. If anyone
            an convince me why they'd be a good idea I'll consider
            implementing them. </li>
        <li><del>background-image: never got around to implementing it,
            now that resource <acronym>URI</acronym> restrictions are
            possible, this is something I'll add.</del> Implemented with
            1.4.0. </li>
        <li>Non-ASCII characters not allowed in font names: Never thought this
            would be a problem! In terms of web accessibility, picking these
            sorts of fonts probably wouldn't be a good idea since most people
            wouldn't have them, but I'll see what I can do. </li>
        <li>Ignoring versus refusing: I'm not exactly I understood what teracc
            was saying here. This would fall into the realm of XSS-detection,
            which has been requested before and is something I've been
            playing around with. </li>
        <li>Not validating to the specification: Of course I can't validate
            to it directly, that would be insecure. I'll clarify this in the
            documentation. </li>
        <li><acronym>CPU</acronym>/Memory usage high: Precisely why you
            need to cache HTML Purifier's output. </li>
    </ul>
    </div>
</div>

</div> <!-- end news-container -->

<h2 id="Plugins">Plugins</h2>

<p class="lead">HTML Purifier is a great library to integrate with existing
<acronym>CMS</acronym>es and other applications or <acronym>WYSIWYG</acronym> editors.  Currently, we have plugins
for:</p>

<ul>
    <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal HTML Purifier Module</a> (beta) by Bart Jansens</li>
    <li><a href="http://hp.jpsband.org/svnroot/htmlpurifier/trunk/plugins/modx.txt">MODx Content Management System</a></li>
</ul>

<blockquote class="fancy">
<div class="quote">
    This plugin is on top of my favorite list[.] I am going to heavily
    depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
    having pages that validate and are semantically sound.
</div>
<div class="origin">
    &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
</div>
</blockquote>

<p class="lead">Plugins for other major applications gladly accepted!</p>


<h2 id="Demo">Demo</h2>

<p class="lead">Enter your <acronym>HTML</acronym> and see how it will be filtered!</p>
<form id="filter" action="http://hp.jpsband.org/live/docs/examples/demo.php?post" method="post">
    <fieldset>
    <legend>HTML Purifier Input</legend>
    <textarea name="html" cols="50" rows="10" id="html"></textarea>
    <div><acronym>XHTML</acronym> 1.0 Strict output? <input type="checkbox" value="1" name="strict" /></div>
    <div>
        <input type="submit" value="Submit" name="submit" class="button" />
    </div>
    </fieldset>
</form>

<p class="lead">...or try these sample inputs:</p>

<ul>
    <li><a href="http://hp.jpsband.org/live/docs/examples/demo.php?get&amp;html=%3Cimg+src%3D%22javascript%3Aevil%28%29%3B%22+onload%3D%22evil%28%29%3B%22+%2F%3E">Malicious code removed</a></li>
    <li><a href="http://hp.jpsband.org/live/docs/examples/demo.php?html=%3Cb%3EBold&amp;submit=Submit">Missing end tags fixed</a></li>
    <li><a href="http://hp.jpsband.org/live/docs/examples/demo.php?html=%3Cb%3EInline+%3Cdel%3Econtext+%3Cdiv%3ENo+block+allowed%3C%2Fdiv%3E%3C%2Fdel%3E%3C%2Fb%3E&amp;submit=Submit">Illegal nesting fixed</a></li>
    <li><a href="http://hp.jpsband.org/live/docs/examples/demo.php?html=%3Ccenter%3ECentered%3C%2Fcenter%3E&amp;strict=1&amp;submit=Submit">Deprecated tags converted</a></li>
    <li><a href="http://hp.jpsband.org/live/docs/examples/demo.php?html=%3Cspan+style%3D%22color%3A%23COW%3Bfloat%3Aaround%3Btext-decoration%3Ablink%3B%22%3EText%3C%2Fspan%3E&amp;submit=Submit"><acronym>CSS</acronym> validated</a></li>
    <li><a href="http://hp.jpsband.org/live/docs/examples/demo.php?html=%3Ctable%3E%0D%0A++%3Ccaption%3E%0D%0A++++Cool+table%0D%0A++%3C%2Fcaption%3E%0D%0A++%3Ctfoot%3E%0D%0A++++%3Ctr%3E%0D%0A++++++%3Cth%3EI+can+do+so+much%21%3C%2Fth%3E%0D%0A++++%3C%2Ftr%3E%0D%0A++%3C%2Ftfoot%3E%0D%0A++%3Ctr%3E%0D%0A++++%3Ctd+style%3D%22font-size%3A16pt%3B%0D%0A++++++color%3A%23F00%3Bfont-family%3Asans-serif%3B%0D%0A++++++text-align%3Acenter%3B%22%3EWow%3C%2Ftd%3E%0D%0A++%3C%2Ftr%3E%0D%0A%3C%2Ftable%3E&amp;submit=Submit">Rich formatting preserved</a></li>
</ul>

<h2 id="Download">Download</h2>

<p class="lead">The current version is
<strong>1.4.1</strong>.  Pick your distribution:</p>

<ul>
<li><a class="download" href="releases/htmlpurifier-1.4.1.tar.gz">HTML Purifier 1.4.1 (.tar.gz)</a> [<a href="releases/htmlpurifier-1.4.1.tar.gz.sig">sig</a>]</li>
<li><a class="download" href="releases/htmlpurifier-1.4.1.zip">HTML Purifier 1.4.1 (.zip)</a> [<a href="releases/htmlpurifier-1.4.1.zip.sig">sig</a>]</li>
<li><a class="download" href="releases/htmlpurifier-1.4.1-strict.tar.gz">HTML Purifier 1.4.1 PHP5-strict (.tar.gz)</a> [<a href="releases/htmlpurifier-1.4.1-strict.tar.gz.sig">sig</a>]</li>
<li><a class="download" href="releases/htmlpurifier-1.4.1-strict.zip">HTML Purifier 1.4.1 PHP5-strict (.zip)</a> [<a href="releases/htmlpurifier-1.4.1-strict.zip.sig">sig</a>]</li>
</ul>

<p class="lead">The <acronym>PHP</acronym>5-strict version is exactly the same
as the regular version with a few tweaks
to prevent it from complaining about
E_STRICT warnings.This library is open-source, licensed under the
<a href="http://www.gnu.org/licenses/lgpl.html"><acronym>LGPL</acronym> v2.1+</a>.</p>

<p>You can also grab the latest developmental code from our Subversion
repository.  Simply execute this command:</p>

<pre class="command">svn co http://hp.jpsband.org/svnroot/htmlpurifier/trunk ./</pre>

<p>...or <a href="http://hp.jpsband.org/svnroot/htmlpurifier/trunk/">browse
anonymously</a> at that address. Previous releases can be obtained by browsing
the <a href="releases/">release directory</a>
or checking code out of the
<a href="http://hp.jpsband.org/svnroot/htmlpurifier/tags/">tags/
directory</a>.</p>

<p><acronym>SHA-1</acronym> checksums:</p>

<pre>
c82945de51555a9c8bd6352561977cfa029f2054 htmlpurifier-1.4.1.tar.gz
de67ac0768e634d79e14426c77acacee58e2a7c4 htmlpurifier-1.4.1.zip
6f2f127b830801b3720991ea382c34470407ecf0 htmlpurifier-1.4.1-strict.tar.gz
070542122837c18818a1cb5e46de19fd3a576bc6 htmlpurifier-1.4.1-strict.zip
</pre>

<p>There are also <tt>.sig</tt> files which you can use to cryptographically verify
that the release is from me, Edward Z. Yang.  You can find
my <a href="http://www.thewritingpot.com/gpgpubkey.asc">public key
here (0x869C48DA)</a>.  My key's fingerprint is:
<tt>3FA8 E9A9 7385 B691 A6FC  B3CB A933 BE7D 869C 48DA</tt>.</p>

<p>Verify with these commands:</p>

<pre class="command">gpg --verify <strong>$filename</strong>.sig</pre>

<p class="lead">You can be notified of new releases by a low-traffic announce list. Subscribe
here:</p>

<form method="post" action="http://scripts.dreamhost.com/add_list.cgi">
   <input type="hidden" name="list" value="htmlpurifier@jpsband.org" />
   <input type="hidden" name="domain" value="jpsband.org" />
   <input type="hidden" name="emailit" value="1" />
   <div>Name: <input name="name" /> E-mail: <input name="email" /></div>
   <div><input type="submit" name="submit" value="Suscribe to Announcement List" />
   <input type="submit" name="unsub" value="Unsubscribe" /></div>
</form>

<h2 id="Resources">Resources</h2>
<ul>
    <li><strong><a href="http://hp.jpsband.org/live/docs/">End-User
        Documentation</a></strong> &mdash; In-depth documents on how to get
        the most out of HTML Purifier.</li>
    <li><a href="mantis/">Mantis Bugtracker</a> &mdash; Found a bug? Report
        it here!</li>
    <li><a href="phorum/">Support Forum</a> &mdash; Talk about all things
        HTML Purifier.</li>
    <li><a href="http://hp.jpsband.org/live/smoketests/printDefinition.php">Print
        Definition</a> &mdash; If you want to actually see what HTML Purifier's
        filtering rules are, look no further than to this page. You can even
        experiment with the configuration to see how things respond to different
        directives.</li>
    <li><a href="http://hp.jpsband.org/live/smoketests/xssAttacks.php"><acronym>XSS</acronym>
        Attacks Smoketest</a> &mdash; Tests how well HTML Purifier fares
        against RSnake's famous cheatsheet of <acronym>XSS</acronym> attacks.</li>
    <li><a href="http://hp.jpsband.org/live/TODO">Roadmap</a>
        &mdash; Subject to lots of delays, but it's a glimpse of the future</li>
    <li><a href="http://hp.jpsband.org/live/art/">Artwork</a>
        &mdash; Extra media goodies.</li>
    <li><a href="http://hp.jpsband.org/live/configdoc/plain.html">Configuration
        documentation</a> &mdash; See the <code>INSTALL</code> document on how to
        configure your HTML Purifier installation.</li>
    <li><a href="http://hp.jpsband.org/doxygen/html/">Doxygen-generated
        Documentation</a> &mdash; No class left undocumented!  Cross-referenced
        code!  A must-read for any prospective HTML Purifier hacker.
        (close by, <a href="http://hp.jpsband.org/phpdoc/">PHPDoc-generated
        Documentation.</a>)</li>
</ul>

<h2 id="Propaganda">Spread the Word!</h2>

<p class="lead">Help spread awareness about HTML Purifier by:</p>

<ul>
<li><a
href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://hp.jpsband.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
<li>
    <div>Including this little <strong>label</strong> on your website:
    <a href="http://hp.jpsband.org/"><img
    src="http://hp.jpsband.org/live/art/powered.png"
    alt="Powered by HTML Purifier" border="0" /></a>, with this code:
    </div>
    <pre>&lt;a href=&quot;http://hp.jpsband.org/&quot;&gt;&lt;img
src=&quot;http://hp.jpsband.org/live/art/powered.png&quot;
alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
</li>
</ul>

<h2 id="Contact">Contact</h2>

<p class="lead">You can send me an email at
<a href="mailto:htmlpurifier@jpsband.org">htmlpurifier@jpsband.org</a>. 
However, I prefer that you use the forums for asking general support
questions (response time will be the same, I promise!)
Any emails I receive will be considered public: if I think a
solution I thought up to help you would be particularly useful to others,
expect it to show up on the website.</p>

</div>

</body>
</html>