Release 3.0.0.

[htmlpurifier-web.git] / index.xhtml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
  xmlns="http://www.w3.org/1999/xhtml"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xc="urn:xhtml-compiler"
  xmlns:svn="urn:xhtml-compiler:Subversion"
  svn:head-url="$HeadURL$"
  svn:revision="$Revision$"
  xc:rss-from-svn="yes"
  xml:lang="en">
<head>
<title>HTML Purifier - Filter your HTML the standards-compliant way!</title>
<xi:include href="common-meta.xml" xpointer="xpointer(/*/node())" />
<meta name="description"
  content="HTML filter that guards against XSS and ensures standards-compliant output." />
<meta name="keywords"
  content="HTMLPurifier, HTML Purifier, HTML, filter, filtering, standards, compliant, w3c, XSS, PHP, security, library, open source, LGPL, whitelist" />
<!-- See news.xhtml for definition -->
<link rel="alternate" type="application/rss+xml" title="News - HTML Purifier" href="news.rss" />
<script defer="defer" type="text/javascript" src="del.icio.us.js" xc:absolute="src"></script>
<!-- OpenID for Edward Z. Yang -->
<link rel="openid.server" href="https://pip.verisignlabs.com/server" />
<link rel="openid.delegate" href="http://edwardzyang.pip.verisignlabs.com/" />
<!-- Google OpenSearch -->
<link rel="search" href="opensearchdescription.xml"
  type="application/opensearchdescription+xml"
  title="HTML Purifier" />
</head>
<body>

<div id="branding">
  <h1>
    <span class="html">HTML</span>
    <span class="purifier">Purifier</span>
  </h1>
  <blockquote>
    <p>
      Standards-Compliant HTML Filtering
    </p>
  </blockquote>
</div>

<xi:include href="common-navigation.xml" xpointer="xpointer(/*/node())" />

<div id="content">

<div id="summary">
  <h2>Summary</h2>
  <div id="summary-safe">
    <h3>Safe</h3>
    <p>
      HTML Purifier defeats XSS with an audited whitelist
    </p>
  </div>
  <div id="summary-clean">
    <h3>Clean</h3>
    <p>
      HTML Purifier ensures standards-compliant output
    </p>
  </div>
  <div id="summary-open">
    <h3>Open</h3>
    <p>
      HTML Purifier is open-source and highly customizable
    </p>
  </div>
</div>

<div id="intro">
  <p><strong>HTML Purifier</strong> is a standards-compliant 
  <abbr>HTML</abbr> filter library written in 
  <abbr>PHP</abbr>. HTML Purifier will not only remove all malicious 
  code (better known as <abbr>XSS</abbr>) with a thoroughly audited, 
  secure <em>yet</em> permissive <strong><a 
  href="live/smoketests/printDefinition.php">whitelist</a></strong>,
  it will also make sure your documents are 
  <strong>standards compliant</strong>, something only achievable with a 
  comprehensive knowledge of <abbr>W3C</abbr>'s specifications. 
  Tired of using BBCode due to the current landscape of deficient or 
  insecure <abbr>HTML</abbr> filters? Have a 
  <strong><acronym>WYSIWYG</acronym></strong> editor but never been able to use it? Looking 
  for high-quality, standards-compliant, open-source components for that 
  application you're building? HTML Purifier is for you!</p> 
  
  <blockquote class="fancy">
  <div class="quote">
      I'd just like to say we use HTML Purifier in <a href="http://www.iris.ac/">IRIS</a> for
      filtering emails against XSS attacks and we've been more than impressed.
  </div>
  <div class="origin">&mdash; Chris Corbyn, <em>Senior IRIS Developer</em></div>
  </blockquote>
  
  <xi:include href="download-box.xml" xpointer="xpointer(/*/node())" />
  
</div>

<h2 id="Background">Background</h2>

<p>There are a number of open-source <abbr>HTML</abbr> filtering solutions out
there on the web already
(i.e. <acronym>PEAR</acronym>'s
<a href="http://pear.php.net/package/HTML_Safe">HTML_Safe</a>,
<a href="http://sourceforge.net/projects/kses">kses</a>
and
<a href="http://simon.incutio.com/archive/2003/02/23/safeHtmlChecker">
SafeHtmlChecker.class.php</a>).  What sets HTML Purifier apart from them?
Aren't all of these choices <q>secure</q>?</p>

<p>When it comes to <abbr>HTML</abbr>, <strong>attention to 
detail</strong> is key. Does the library demonstrate an in-depth 
knowledge of the <abbr>DTD</abbr> that defines 
<abbr>HTML</abbr>? Does it perform its filtering off a robust 
whitelist rather than a usually out-dated blacklist? Does it go through 
the care to check every single attribute in the document for validity? 
Does it actually understand tag markup, or pay lip-service with a series 
of deficient regexes and str_replace's?</p> 

<p>Somewhere along the way, all of HTML Purifier's predecessors fall 
flat. HTML_Safe dooms itself to attacks of the future by using a 
blacklist. Configurable filters like kses and PHP Input Filter still 
cannot validate the contents inside attributes. With all these gaps in 
coverage, none of the usual libraries come close to achieving 
<strong>standards-compliance</strong>. There is a user-unfriendly, 
draconic <abbr>XML</abbr>-based filter called Safe HTML Checker, 
but even it forgets that <code>&lt;a&gt;</code> tags cannot be nested 
within each other!</p> 

<p><strong>Know thy enemy.</strong> Wily hackers have a huge arsenal of 
<abbr>XSS</abbr> hidden within the depths of the 
<abbr>HTML</abbr> specification. HTML Purifier takes its 
effectiveness from the fact that it will decompose the whole document 
into tokens, and rigorously process the tokens by removing 
non-whitelisted elements, transforming bad practice tags like font into 
span, properly checking the nesting of tags and their children and 
validating all attributes according to their <abbr>RFC</abbr>s. 
HTML Purifier's comprehensive algorithms are complemented by a 
<strong>breadth of knowledge</strong>, ensuring that richly formatted 
documents pass through unstripped.</p> 

<p>To my knowledge, there is nothing else in the wild that offers 
protection from <abbr>XSS</abbr>, standards-compliance, and the
corrective processing of poorly formed <abbr>HTML</abbr>
simultaneously. Don't take my word for it though: 
do your research. Investigate the other libraries, and decide for 
yourself who you would prefer to be the <strong>gatekeeper</strong> to 
your system.</p> 

<p>To find out more, you can read the
<a href="comparison.html"><strong>Comparison</strong></a>
for a play-by-play analysis of the major filter libraries currently
out there.</p>

<blockquote class="fancy">
<div class="quote">
    [Y]ou save my day by allowing me not to write another damned HTML parser.
</div>
<div class="origin">
    &mdash; Joseph Halter, <em>Technical Director at Akira Web</em>
</div>
</blockquote>

<h2 id="Plugins">Plugins</h2>

<p>HTML Purifier is a great library to integrate with existing
<abbr>CMS</abbr>es and other applications or <acronym>WYSIWYG</acronym>
editors.  Currently, we have plugins for these applications:</p>

<ul>
    <li><a href="http://www.phorum.org/phorum5/read.php?16,122766">Phorum</a> (in use at our very own forums!)</li>
    <li><a href="http://htmlpurifier.org/svnroot/htmlpurifier/trunk/plugins/modx.txt">MODx</a></li>
    <li><a href="http://bart.motd.be/projects/html-purifier-drupal-module">Drupal</a> by Bart Jansens</li>
    <li><a href="http://urbangiraffe.com/plugins/html-purified/">Wordpress</a> by John Godley</li>
    <li><a href="http://www.mindloop.be/nieuws/nieuwe-ontwikkelingen/htmlpurifier-and-the-codeigniter-framework">CodeIgniter</a> by Andy Mathijs</li>
</ul>

<p>
    <strong>Notice:</strong>
    Any plugin provided by a third party has not been vetted by us: use
    them at your own risk. If you are having a problem with the plugin,
    please consult the plugin author before asking for help here (we'll
    be more than happy to help, but it might be a problem with the 
    plugin rather than HTML Purifier.)
</p>

<blockquote class="fancy">
<div class="quote">
    This plugin is on top of my favorite list[.] I am going to heavily
    depend on it since my clients insist on having <acronym>WYSIWYG</acronym> and I insist on
    having pages that validate and are semantically sound.
</div>
<div class="origin">
    &mdash; David Molliere, <em>MODx Marketing &amp; Design Team</em>
</div>
</blockquote>

<p>Plugins for other major applications gladly accepted!</p>



<h2 id="Docs">Documentation</h2>
<ul>
    <li><strong><a href="docs/">End-User
        Documentation</a></strong> &mdash; In-depth documents on how to get
        the most out of HTML Purifier.</li>
    <li><a href="http://htmlpurifier.org/phorum/">Support Forum</a> &mdash; Talk about all things
        HTML Purifier.</li>
    <li><a href="live/smoketests/printDefinition.php">Print
        Definition</a> &mdash; If you want to actually see what HTML Purifier's
        filtering rules are, look no further than to this page. You can even
        experiment with the configuration to see how things respond to different
        directives.</li>
    <li><a href="live/smoketests/xssAttacks.php"><abbr>XSS</abbr>
        Attacks Smoketest</a> &mdash; Tests how well HTML Purifier fares
        against RSnake's famous cheatsheet of <abbr>XSS</abbr> attacks.</li>
    <li><a href="live/TODO">Roadmap</a>
        &mdash; Subject to lots of delays, but it's a glimpse of the future</li>
    <li><a href="live/art/">Artwork</a>
        &mdash; Extra media goodies.</li>
    <li><a href="live/configdoc/plain.html">Configuration
        documentation</a> &mdash; See the <code>INSTALL</code> document on how to
        configure your HTML Purifier installation.</li>
    <li><a href="http://htmlpurifier.org/doxygen/html/">Doxygen-generated
        Documentation</a> &mdash; No class left undocumented!  Cross-referenced
        code!  A must-read for any prospective HTML Purifier hacker.
        (close by, <a href="http://htmlpurifier.org/phpdoc/">PHPDoc-generated
        Documentation.</a>)</li>
</ul>

<h2 id="Propaganda">Spread the Word!</h2>

<p>Help spread awareness about HTML Purifier by:</p>

<ul>
<li><a
href="http://del.icio.us/post?v=4&amp;noui&amp;url=http://htmlpurifier.org/&amp;title=HTML%20Purifier%20-%20Filter%20your%20HTML%20the%20standards-compliant%20way!"
id="delicious">Bookmarking this website</a> on your <strong>del.icio.us</strong> account, and/or</li>
<li>
    <div>Including this little <strong>label</strong> on your website:
    <a href="http://htmlpurifier.org/"><img
    src="live/art/powered.png"
    alt="Powered by HTML Purifier" border="0" /></a>, with this code:
    </div>
    <pre class="long">&lt;a href=&quot;http://htmlpurifier.org/&quot;&gt;&lt;img
src=&quot;http://htmlpurifier.org/live/art/powered.png&quot;
alt=&quot;Powered by HTML Purifier&quot; border=&quot;0&quot; /&gt;&lt;/a&gt;</pre>
</li>
</ul>

</div>

</body>
</html>