The HtmlSanitizer component provides an object-oriented API to sanitizeuntrusted HTML input for safe insertion into a document's DOM.
useSymfony\Component\HtmlSanitizer\HtmlSanitizerConfig;useSymfony\Component\HtmlSanitizer\HtmlSanitizer;// By default, an element not added to the allowed or blocked elements// will be dropped, including its children$config = (newHtmlSanitizerConfig())// Allow "safe" elements and attributes. All scripts will be removed// as well as other dangerous behaviors like CSS injection ->allowSafeElements()// Allow all static elements and attributes from the W3C Sanitizer API// standard. All scripts will be removed but the output may still contain// other dangerous behaviors like CSS injection (click-jacking), CSS// expressions, ... ->allowStaticElements()// Allow the "div" element and no attribute can be on it ->allowElement('div')// Allow the "a" element, and the "title" attribute to be on it ->allowElement('a', ['title'])// Allow the "span" element, and any attribute from the Sanitizer API is allowed// (see https://wicg.github.io/sanitizer-api/#default-configuration) ->allowElement('span','*')// Block the "section" element: this element will be removed but// its children will be retained ->blockElement('section')// Drop the "div" element: this element will be removed, including its children ->dropElement('div')// Allow the attribute "title" on the "div" element ->allowAttribute('title', ['div'])// Allow the attribute "data-custom-attr" on all currently allowed elements ->allowAttribute('data-custom-attr','*')// Drop the "data-custom-attr" attribute from the "div" element:// this attribute will be removed ->dropAttribute('data-custom-attr', ['div'])// Drop the "data-custom-attr" attribute from all elements:// this attribute will be removed ->dropAttribute('data-custom-attr','*')// Forcefully set the value of all "rel" attributes on "a"// elements to "noopener noreferrer" ->forceAttribute('a','rel','noopener noreferrer')// Transform all HTTP schemes to HTTPS ->forceHttpsUrls()// Configure which schemes are allowed in links (others will be dropped) ->allowLinkSchemes(['https','http','mailto'])// Configure which hosts are allowed in links (by default all are allowed) ->allowLinkHosts(['symfony.com','example.com'])// Allow relative URL in links (by default they are dropped) ->allowRelativeLinks()// Configure which schemes are allowed in img/audio/video/iframe (others will be dropped) ->allowMediaSchemes(['https','http'])// Configure which hosts are allowed in img/audio/video/iframe (by default all are allowed) ->allowMediaHosts(['symfony.com','example.com'])// Allow relative URL in img/audio/video/iframe (by default they are dropped) ->allowRelativeMedias()// Configure a custom attribute sanitizer to apply custom sanitization logic// ($attributeSanitizer instance of AttributeSanitizerInterface) ->withAttributeSanitizer($attributeSanitizer)// Unregister a previously registered attribute sanitizer// ($attributeSanitizer instance of AttributeSanitizerInterface) ->withoutAttributeSanitizer($attributeSanitizer);$sanitizer =newHtmlSanitizer($config);// Sanitize a given string, using the configuration provided and in the// "body" context (tags only allowed in <head> will be removed)$sanitizer->sanitize($userInput);// Sanitize the given string for a usage in a <head> tag$sanitizer->sanitizeFor('head',$userInput);// Sanitize the given string for a usage in another tag$sanitizer->sanitizeFor('title',$userInput);// Will encode as HTML entities$sanitizer->sanitizeFor('textarea',$userInput);// Will encode as HTML entities$sanitizer->sanitizeFor('div',$userInput);// Will sanitize as body$sanitizer->sanitizeFor('section',$userInput);// Will sanitize as body// ...