Several tools (mostly classes) give PHP applications the ability to strip bad HTML, enforce XHTML compliance, and more. These tools include Cyberai InputFilter, Deric Rethans filter, HTML Filter for PHP, HTML_Safe, kses, and Safe HTML checker. This comparison shows some of the important differences.
HTML Filters | Configuration | Form Fields | Additional | ||||||||||
Class / Tool | License | Tags | Attributes | Whitelist | Blacklist | Dynamic | All | Single | XSS | SQL Injection | Logic | Max Len / Value | Compliance |
Cyberai InputFilter | GPL | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | Tags, Attributes |
Deric Rethans filter | PHP | (Yes) | (Yes) | (Yes) | Yes | No | Yes | No | No | Yes | No | No | |
HTML Filter for PHP | LGPL | Yes | Yes | Yes | No | No | No | Yes | No | No | No | No | Validation? |
HTML_Safe | BSD | Yes | Yes | Yes | Yes | No | No | Yes | No | No | No | No | Tags |
kses | GPL | Yes | Yes | Yes | No | Yes | No | Yes | No | No | No | Yes | Attributes |
Safe HTML checker | ? | Yes | Yes | Yes | No | No | No | Yes | No | No | No | No | Tags |
Configuration
Tags and Attributes includes the ability to specify which tags and attributes are allowed (whitelist) or disallowed (blacklist).
Dynamic represents the ability to dynamically configure which tags / attributes are allowed
Form fields – can the tool process all form fields and / or a single field. Though all forms fields is convenient, it may be necessary not to process specific field (e.g. Fields that contain html special characters text)
Additional
XSS – includes features for blocking cross site scripting attacks
SQL Injection – includes features for blocking SQL injection attacks
Logic – includes features for validating fields (e.g. email address, URL, etc.)
Max Len / Value – supports checking attribute values for minimum/maximum length and minimum/maximum value, to protect against Buffer Overflows and Denial of Service attacks against WWW clients and various servers
Compliance – enforces W3C / XHTML compliance with tags (requires open and close), attributes (requires double quotes)