PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

Zend Framework Proposal: Zend\Html\Filter (html Sanitisation And Manipulation)

Note: This article was originally published at Planet PHP on 6 September 2010.
Planet PHP
For a while now, I've been keen to build a html Sanitisation solution for PHP. Where else would I end up putting it other than in Zend Framework? As I've explored in past articles [1] [2], html Sanitisation in PHP is a very inconsistent practice. Sanitisers like htmlPurifier are very secure out of the box but undeniably slow and resource intensive while others based on regular expression powered html parsing are much faster but tend to lose out a lot in the security stakes. Isn't it possible to create a sanitiser that is both secure by default and performs well?

This was the core of the idea that became Wibble, my prototype for Zend\Html\Filter. Wibble borrowed sanitisation routines from a few programming languages to ensure secure operation, but relied entirely on PHP DOM and html Tidy for speed and html parsing. The resulting prototype was benchmarked [1] which proved that while Wibble could be faster than even regular expression based sanitisers (in scenarios where html was being manipulated) it most definitely would be faster than htmlPurifier - without sacrificing security. Thus Wibble is capable of the best of both worlds - security and performance. The existing tradeoff in current solutions no longer applies.

You may read and comment on the proposal here: http://framework.zend.com/wiki/pages/viewpage.action?pageId=25002168. The proposal is up for review for Zend Framework 2.0.