jeffersongoncalves/laravel-html-sanitizer

This Laravel package provides a simple wrapper around the Symfony HTML Sanitizer to safely clean untrusted HTML. It strips scripts, inline event handlers, and Alpine attributes while keeping the presentational subset (headings, lists, tables, code blocks, images, links) that rendered Markdown and RE

Maintainers

Package info

github.com/jeffersongoncalves/laravel-html-sanitizer

pkg:composer/jeffersongoncalves/laravel-html-sanitizer

Fund package maintenance!

jeffersongoncalves

Statistics

Installs: 44

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.2.0 2026-06-21 20:09 UTC

Requires

Requires (Dev)

MIT 03feeadc3a61846d0dcf0278e808912323b0337a

  • Jefferson Gonçalves <gerson.simao.92.woop@gmail.com>

securityhtmllaravelxsssanitizerjeffersongoncalveslaravel-html-sanitizer

This package is auto-updated.

Last update: 2026-06-23 11:53:19 UTC

README

Laravel HTML Sanitizer

Laravel HTML Sanitizer

Latest Version on Packagist GitHub Tests Action Status GitHub Code Style Action Status Total Downloads

This Laravel package provides a simple wrapper around the Symfony HTML Sanitizer to safely clean untrusted HTML. It strips scripts, inline event handlers, and Alpine attributes while keeping the presentational subset (headings, lists, tables, code blocks, images, links) that rendered Markdown and READMEs need. The package is easy to install and configure, seamlessly integrating with your existing Laravel application.

Installation

You can install the package via composer:

composer require jeffersongoncalves/laravel-html-sanitizer

Usage

Pass any untrusted HTML through HtmlSanitizer::clean() before rendering it:

use JeffersonGoncalves\HtmlSanitizer\HtmlSanitizer;

$dirty = '<p>Hello</p><script>alert("xss")</script><img src="x" onerror="steal()">';

$clean = HtmlSanitizer::clean($dirty);
// <p>Hello</p><img src="x">

The sanitizer:

  • drops <script>, <style> and every event-handler attribute (onerror, onclick, ...);
  • strips Alpine x-* attributes;
  • keeps the safe presentational subset: headings, lists, tables, code blocks, images and links;
  • allows relative links/medias and the https, http, mailto link schemes (media schemes are limited to https/httpdata: is excluded by default because data:image/svg+xml payloads can execute script);
  • preserves class/id attributes (for heading permalinks, code-language hints and table wrappers) and width/height on <img>.

It is intended for rendered HTML that originated from untrusted sources — GitHub READMEs of third-party repos and the Markdown body of imported articles — where raw HTML is enabled during rendering.

Configuration

Publish the config file to customise the allowed schemes, allowed attributes and the maximum input length:

php artisan vendor:publish --tag="html-sanitizer-config"
return [
    // -1 = unlimited. Symfony otherwise truncates input at 20000 bytes,
    // silently cutting long READMEs/articles mid-content.
    'max_input_length' => -1,

    'allow_relative_links' => true,
    'allow_relative_medias' => true,

    'link_schemes' => ['https', 'http', 'mailto'],

    // 'data' is intentionally omitted: data:image/svg+xml can carry script.
    'media_schemes' => ['https', 'http'],

    'attributes' => [
        'class' => '*',
        'id' => '*',
        'width' => ['img'],
        'height' => ['img'],
    ],
];

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

License

The MIT License (MIT). Please see License File for more information.