Yii Framework Forum

Will we be using htmlpurifier anymore?

(Serban Cristian) #1

Just found out today that htmlpurifier is in maintenance mode, so the author will only be fixing issues but not adding new stuff to it.

How this affects Yii framework?

Here’s a small reddit thread explaining a few more things, together with an alternative to htmlpurifier:

Thoughts ?

(Alexander Makarov) #2

That’s interesting. Need to read that in details. Thanks for letting us know.

(Alexander Makarov) #3

I’ve read all the materials.

  1. HTMLPurifier and html-sanitizer are different in terms of “fixing” HTML. HTMLPurifier does that, html-sanitizer does not.
  2. HTMLPurifier is battle-tested, very stable, has tons of tests. Latest release is February 22, 2018. In general releases are yearly ones.
  3. HTMLPurifier was checked by professional security guys. At least I know that Scott Arciszewski, who also checked Yii and got libsodium into PHP, recommends it.
  4. html-sanitizer is a bit slower. Since it’s often used in templates and used hard, it may make a difference.
  5. html-sanitizer is young and, as far as I know, wasn’t yet checked by security professionals.

(Alexander Makarov) #4

Asked Scott if he did a review since he forked that repo.

(Alexander Makarov) #5

Overall, HTMLPurifier being in the maintenance mode doesn’t sound too bad so for now we’ll leave it as is. It’s good that we have alternative though.