Will we be using htmlpurifier anymore?

Just found out today that htmlpurifier is in maintenance mode, so the author will only be fixing issues but not adding new stuff to it.

How this affects Yii framework?

Here’s a small reddit thread explaining a few more things, together with an alternative to htmlpurifier:

Thoughts ?


That’s interesting. Need to read that in details. Thanks for letting us know.

I’ve read all the materials.

  1. HTMLPurifier and html-sanitizer are different in terms of “fixing” HTML. HTMLPurifier does that, html-sanitizer does not.
  2. HTMLPurifier is battle-tested, very stable, has tons of tests. Latest release is February 22, 2018. In general releases are yearly ones.
  3. HTMLPurifier was checked by professional security guys. At least I know that Scott Arciszewski, who also checked Yii and got libsodium into PHP, recommends it.
  4. html-sanitizer is a bit slower. Since it’s often used in templates and used hard, it may make a difference.
  5. html-sanitizer is young and, as far as I know, wasn’t yet checked by security professionals.

Asked Scott if he did a review since he forked that repo.

Overall, HTMLPurifier being in the maintenance mode doesn’t sound too bad so for now we’ll leave it as is. It’s good that we have alternative though.