Comparison of PHP HTML Filter Tools

Posted on Saturday, October 15, 2005 @ 03:10:47 CDT in General
by kguske

Several tools (mostly classes) give PHP applications the ability to strip bad HTML, enforce XHTML compliance, and more. These tools include Cyberai InputFilter, Deric Rethans filter, HTML Filter for PHP, HTML_Safe, kses, and Safe HTML checker. This comparison shows some of the important differences.

HTML Filters   Configuration Form Fields Additional
Class / Tool License Tags Attributes Whitelist Blacklist Dynamic All Single XSS SQL Injection Logic Max Len / Value Compliance
Cyberai InputFilter GPL Yes Yes Yes Yes Yes Yes Yes Yes Yes No No Tags, Attributes
Deric Rethans filter PHP (Yes) (Yes) (Yes)   Yes No Yes No No Yes No No
HTML Filter for PHP LGPL Yes Yes Yes No No No Yes No No No No Validation?
HTML_Safe BSD Yes Yes Yes Yes No No Yes No No No No Tags
kses GPL Yes Yes Yes No Yes No Yes No No No Yes Attributes
Safe HTML checker ? Yes Yes Yes No No No Yes No No No No Tags

Tags and Attributes includes the ability to specify which tags and attributes are allowed (whitelist) or disallowed (blacklist).
Dynamic represents the ability to dynamically configure which tags / attributes are allowed

Form fields – can the tool process all form fields and / or a single field.  Though all forms fields is convenient, it may be necessary not to process specific field (e.g. Fields that contain html special characters text)

XSS – includes features for blocking cross site scripting attacks
SQL Injection – includes features for blocking SQL injection attacks
Logic – includes features for validating fields (e.g. email address, URL, etc.)
Max Len / Value – supports checking attribute values for minimum/maximum length and minimum/maximum value, to protect against Buffer Overflows and Denial of Service attacks against WWW clients and various servers
Compliance – enforces W3C / XHTML compliance with tags (requires open and close), attributes (requires double quotes)