Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Tree: 4e6d9bc362

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


Version 1.3.5.

This parser strips down all potentially dangerous content within HTML:
  * opening tag without its closing tag
  * closing tag without its opening tag
  * any of these tags: "base", "basefont", "head", "html", "body", "applet", "object", 
    "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound", 
    "link", "meta", "style", "title", "blink", "xml" etc.
  * any of these attributes: on*, data*, dynsrc
  * javascript:/vbscript:/about: etc. protocols
  * expression/behavior etc. in styles
  * any other active content
It also tries to convert code to XHTML valid, but htmltidy is far better solution for this task.

If you found any bugs in this parser, please inform me -- ICQ:551593 or

Please, subscribe to feed in order to receive notices 
when SAFEHTML will be updated.

-- Roman Ivanov.
-- Pixel-Apes ( ).
-- JetStyle ( ).

Version history:
 * Two serious security flaws fixed: UTF-7 XSS and CSS comments handling.
 * Security flaw (improper quotes handling in attributes' values) fixed. Big thanks to Nick Cleaton.
 * Dumb bug fixed (some closing tags were ignored).
 * Two holes (with decimal HTML entities and with \x00 symbol) fixed.
 * Class rewritten under PEAR coding standarts.
 * Class now uses unmodified HTMLSax3 from PEAR.
 * To the list of table tags added: "caption", "col", "colgroup".
 * It was possible to create XSS with hexadecimal HTML entities. Fixed. Big thanks to Christian Stocker.
 * "id" and "name" attributes added to dangerous attributes list, because malefactor can broke legal javascript by spoofing ID or NAME of some element.
 * New method parse() allows to do all parsing process in two lines of code. Examples also updated.
 * New array, closeParagraph, contains list of block-level elements. When we open such elemet, we should close paragraph before. . It allows SafeHTML to produce more XHTML compliant code.
 * Added "webcal" to white list of protocols for those who uses calendar programs (Mozilla/iCal/etc).
 * Now SafeHTML strips down table elements when we are not inside table.
 * Now SafeHTML correctly closes unclosed "li" tags: before opening "li" of the same nesting level.
 * New "dangerous" protocols: hcp, ms-help, help, disk,, opera, res, resource, chrome, mocha, livescript.
 * <XML> tag was moved from "tags for deletion" to "tags for deletion with content".
 * New "dangerous" CSS instruction "include-source" (NN4 specific).
 * New array, Attributes, contains list of attributes for removal. If you need to remove "id" or "name" attribute, 
 just add it to this array.
 * Now it is possible to choose between white-list and black-list filtering of protocols. Defaults are "white-list".
 This list is: "http", "https", "ftp", "telnet", "news", "nntp", "gopher", "mailto", "file".
 * For speed purposes, we now filter protocols only from these attributes: src, href, action, lowsrc, dynsrc, 
 background, codebase.
 * Opera6 XSS bug ([\xC0][\xBC]script>alert(1)[\xC0][\xBC]/script> [UTF-8] workarounded.
 New "dangerous" tag: plaintext.
 Added array of elements that can have no closing tag.
 Bug fix: <img src="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;alert(1);"> attack.
 Thanks to shmel.
 Bug fix: safehtml hangs on <style></style></style> code.
 Thanks to lj user=electrocat.
 First public release
Something went wrong with that request. Please try again.