Add security vulnerability notice.

[htmlpurifier-web.git] / index.xhtml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
  xmlns="http://www.w3.org/1999/xhtml"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xc="urn:xhtml-compiler"
  xmlns:svn="urn:xhtml-compiler:Subversion"
  svn:head-url="$HeadURL$"
  svn:revision="$Revision$"
  xc:rss-from-svn="yes"
  xml:lang="en">
<head>
<title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
<xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
<meta name="description"
  content="HTML filter that guards against XSS and ensures standards-compliant output." />
<meta name="keywords"
  content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
<!-- See news.xhtml for definition -->
<link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
<script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
<!-- OpenID for Edward Z. Yang -->
<link rel="openid.server" href="https://pip.verisignlabs.com/server" />
<link rel="openid.delegate" href="http://edwardzyang.pip.verisignlabs.com/" />
<!-- Google OpenSearch -->
<link rel="search" href="opensearchdescription.xml"
  type="application/opensearchdescription+xml"
  title="HTML Purifier" />
</head>
<body>

<div id="branding">
  <h1>
    <span class="html">HTML</span>
    <span class="purifier">Purifier</span>
  </h1>
  <blockquote>
    <p>
      Standards-Compliant HTML Filtering
    </p>
  </blockquote>
</div>

<xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />

<div id="content">

<div id="summary">
  <h2>Summary</h2>
  <div id="summary-safe">
    <h3>Safe</h3>
    <p>
      HTML Purifier defeats XSS with an audited whitelist
    </p>
  </div>
  <div id="summary-clean">
    <h3>Clean</h3>
    <p>
      HTML Purifier ensures standards-compliant output
    </p>
  </div>
  <div id="summary-open">
    <h3>Open</h3>
    <p>
      HTML Purifier is open-source and highly customizable
    </p>
  </div>
</div>

<div id="intro">
  <div class="warning" style="margin-left:0; margin-right:0;">
    A security vulnerability was found in versions of HTML Purifier earlier
    than 3.1.0 and 2.1.4. <strong>Affected versions include but are not
    limited to 3.0.0, 3.1.0rc1 and 2.1.3.</strong>
    Although no exploit was found in the wild for this vulnerability, please
    update as quickly as possible.
  </div>
  
  <p><strong>HTML Purifier</strong> is a standards-compliant 
  <abbr>HTML</abbr> filter library written in 
  <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious 
  code (better known as <abbr>XSS</abbr>) with a thoroughly audited, 
  secure <em>yet</em> permissive <strong><a 
  href="live/smoketests/printDefinition.php">whitelist</a></strong>,
  it will also make sure your documents are 
  <strong>standards compliant</strong>, something only achievable with a 
  comprehensive knowledge of <abbr>W3C</abbr>'s specifications. 
  Tired of using BBCode due to the current landscape of deficient or 
  insecure <abbr>HTML</abbr> filters? Have a 
  <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking 
  for high-quality, standards-compliant, open-source components for that 
  application you're building? HTML Purifier is for you!</p> 
  
  <blockquote class="fancy">
  <div class="quote">
      I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
      filtering emails against XSS attacks and we've been more than impressed.
  </div>
  <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
  </blockquote>
  
  <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
  
</div>

<h2 id="Background" class="clear">Background</h2>

<p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
there on the web already
(i.e. <acronym>PEAR</acronym>'s
<a href="http://pear.php.net/package/HTML_Safe">HTML_Safe</a>,
<a href="http://sourceforge.net/projects/kses">kses</a>
and
<a href="http://simon.incutio.com/archive/2003/02/23/safeHtmlChecker">
SafeHtmlChecker.class.php</a>).  What sets HTML Purifier apart from them?
Aren't all of these choices <q>secure</q>?</p>

<p>When it comes to <abbr>HTML</abbr>, <strong>attention to 
detail</strong> is key. Does the library demonstrate an in-depth 
knowledge of the <abbr>DTD</abbr> that defines 
<abbr>HTML</abbr>? Does it perform its filtering off a robust 
whitelist rather than a usually out-dated blacklist? Does it go through 
the care to check every single attribute in the document for validity? 
Does it actually understand tag markup, or pay lip-service with a series 
of deficient regexes and str_replace's?</p> 

<p>Somewhere along the way, all of HTML Purifier's predecessors fall 
flat. HTML_Safe dooms itself to attacks of the future by using a 
blacklist. Configurable filters like kses and PHP Input Filter still 
cannot validate the contents inside attributes. With all these gaps in 
coverage, none of the usual libraries come close to achieving 
<strong>standards-compliance</strong>. There is a user-unfriendly, 
draconic <abbr>XML</abbr>-based filter called Safe HTML Checker, 
but even it forgets that <code>&lt;a&gt;</code> tags cannot be nested 
within each other!</p> 

<p><strong>Know thy enemy.</strong> Wily hackers have a huge arsenal of 
<abbr>XSS</abbr> hidden within the depths of the 
<abbr>HTML</abbr> specification. HTML Purifier takes its 
effectiveness from the fact that it will decompose the whole document 
into tokens, and rigorously process the tokens by removing 
non-whitelisted elements, transforming bad practice tags like font into 
span, properly checking the nesting of tags and their children and 
validating all attributes according to their <abbr>RFC</abbr>s. 
HTML Purifier's comprehensive algorithms are complemented by a 
<strong>breadth of knowledge</strong>, ensuring that richly formatted 
documents pass through unstripped.</p> 

<p>To my knowledge, there is nothing else in the wild that offers 
protection from <abbr>XSS</abbr>, standards-compliance, and the
corrective processing of poorly formed <abbr>HTML</abbr>
simultaneously. Don't take my word for it though: 
do your research. Investigate the other libraries, and decide for 
yourself who you would prefer to be the <strong>gatekeeper</strong> to 
your system.</p> 

<p>To find out more, you can read the
<a href="comparison.html"><strong>Comparison</strong></a>
for a play-by-play analysis of the major filter libraries currently
out there.</p>

<blockquote class="fancy">
<div class="quote">
    [Y]ou save my day by allowing me not to write another damned HTML parser.
</div>
<div class="origin">
    &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
</div>
</blockquote>

<h2 id="Plugins">Plugins</h2>

<p>HTML Purifier is a great library to integrate with existing
<abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
editors.  Currently, we have plugins for these applications:</p>

<ul>
    <li><a href="http://www.phorum.org/phorum5/read.php?62,127035">Phorum</a> (in use at our very own forums!)</li>
    <li><a href="http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt">MODx</a></li>
    <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
    <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress</a> by John Godley</li>
    <li><a href="http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,4094/Itemid,35/">Joomla</a> by Double D</li>
    <li><a href="http://www.mindloop.be/nieuws/nieuwe-ontwikkelingen/htmlpurifier-and-the-codeigniter-framework">CodeIgniter</a> by Andy Mathijs</li>
</ul>

<p>
    <strong>Notice:</strong>
    Any plugin provided by a third party has not been vetted by us: use
    them at your own risk. If you are having a problem with the plugin,
    please consult the plugin author before asking for help here (we'll
    be more than happy to help, but it might be a problem with the 
    plugin rather than HTML Purifier.)
</p>

<blockquote class="fancy">
<div class="quote">
    This plugin is on top of my favorite list[.] I am going to heavily
    depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
    having pages that validate and are semantically sound.
</div>
<div class="origin">
    &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
</div>
</blockquote>

<p>Plugins for other major applications gladly accepted!</p>


<h2 id="Users">Users</h2>

<p>Here are some open-source applications that use HTML Purifier:</p>

<ul>
    <li><a href="http://www.bitweaver.org/">BitWeaver</a> (<a href="http://www.bitweaver.org/wiki/HTMLPurifier">via PEAR</a>, see <a href="http://bitweaver.cvs.sourceforge.net/bitweaver/_bit_install/install_checks.php?view=markup">install_checks.php</a>)</li>
    <li><a href="http://www.aliro.org/">Aliro</a> (<a href="http://aliro-svn.cvsdude.com/aliro/trunk/extclasses/HTMLPurifier.php">3.1.0rc1</a>)</li>
    <li><a href="http://php-ids.org/">WPIDS</a> (<a href="http://code.google.com/p/wpids/source/browse/trunk/htmlpurifier/HTMLPurifier.php">3.0.0</a>)</li>
    <li><a href="http://kohanaphp.com/home.html">Kohana</a> (<a href="http://trac.kohanaphp.com/browser/trunk/system/vendor">3.1.0rc1</a>)</li>
</ul>

<p>If I've forgotten anyone, drop me a line with a link to both
your application and the use of HTML Purifier in your code repository,
and I'll add your application to this list.</p>

<h3>Hall of Limbo: PHP4</h3>

<p>The following applications are using HTML Purifier 2.1.3, for PHP4 compatibility.
While this is fine, I would much rather they go PHP5!</p>

<ul>
    <li><a href="http://getlilina.org/">Lilina News Aggregator</a> (<a href="http://lilina.googlecode.com/svn/trunk/lilina/inc/contrib/HTMLPurifier.standalone.php">2.1.3</a>)</li>
    <li><a href="http://brilaps.com/index.php?content=mia">Mia</a> (<a href="http://code.google.com/p/mia-chat/source/browse/trunk/mia_0_x/includes/htmlpurifier/HTMLPurifier.php">2.1.3</a>)</li>
    <li><a href="">TikiWiki</a> (<a href="http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/branches/1.10/lib/HTMLPurifier.php?view=markup">2.1.3</a>)</li>
</ul>


<h3>Hall of Shame</h3>

<p>The following users package HTML Purifier with their software, but either are not
up-to-date or are improperly using the cutting-edge development versions in
stable releases. If you're a user or developer for these projects, please
raise your voice and help to get them fixed!</p>

<ul>
    <li>PHProjekt (<a href="http://thinkforge.org/plugins/scmcvs/cvsweb.php/phprojekt50/lib/html/library/HTMLPurifier.php?rev=HEAD;content-type=text%2Fplain;cvsroot=phprojekt5">1.6.0</a>)</li>
    <li>Lichen Webmail (<a href="http://trac.lichen-mail.org/browser/trunk/libs/HTMLPurifier.php">2.0.1</a>, see <a href="https://trac.lichen-mail.org/ticket/79">ticket #79</a>)</li>
</ul>

<h2 id="Propaganda">Spread the Word!</h2>

<p>Help spread awareness about HTML Purifier by:</p>

<ul>
<li><a
href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
<li>
    <div>Including this little <strong>label</strong> on your website:
    <a href="http://htmlpurifier.org/"><img
    src="live/art/powered.png"
    alt="Powered by HTML Purifier" border="0" /></a>, with this code:
    </div>
    <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
</li>
</ul>

</div>

</body>
</html>