Skip to end of metadata
Go to start of metadata

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[

Zend Framework: Zend_Filter_Html & Zend_Validate_Html Component Proposal

Proposed Component Name Zend_Filter_Html & Zend_Validate_Html
Developer Notes & Zend_Validate_Html
Proposers Thomas Weidner
Zend Liaison TBD
Revision 1.0 - 6 December 2009: Initial Draft. (wiki revision: 7)

Table of Contents

1. Overview

Zend_Filter_Html is a component which filters a given input to be HTML conform.
Zend_Validate_Html is it's cousine which validates if a given input is HTML conform.

2. References

  • See here for problems of actual ZF usage: Blog Post

3. Component Requirements, Constraints, and Acceptance Criteria


  • This component will convert any input to conform HTML
  • This component will prevent XSS attacks
  • This component will produce 100% valid HTML output
  • This component will use adapters to allow foreign libraries to be used


  • This component will validate if input is 100% valid HTML
  • This compontnt will use adapters to allow foreign libraries to be used

4. Dependencies on Other Framework Components

  • Zend_Filter
  • Zend_Validator

5. Theory of Operation

Actually Zend Framework does not have a component which really prevents XSS attacks.

Zend_Filter_Html filters given input, so it conforms the HTML standard. It prevents XSS attacks. Therefor it makes usage of Tidy to get a standard conform HTML output, and it uses HTMLPurifier to prevent any attacks.

Zend_Validate_Html validates is a given input conforms the HTML standard.

6. Milestones / Tasks

  • Milestone 1: [DONE] Proposal finished
  • Milestone 2: Proposal accepted
  • Milestone 3: Working implementation
  • Milestone 4: Unit tests
  • Milestone 5: Documentation
  • Milestone 6: Moved to core

7. Class Index

  • Zend_Filter_Html
  • Zend_Filter_Html_HtmlAbstract
  • Zend_Filter_Html_Tidy
  • Zend_Filter_Html_HtmlPurifier
  • Zend_Validate_Html
  • Zend_Validate_Html_HtmlAbstract
  • Zend_Validate_Html_Tidy

8. Use Cases


Filtering XSS attacks:


Validating HTML:

9. Class Skeletons



Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Dec 07, 2009

    <p>At a time ago had proposed the construction of the Zend_Filter_Html in <a href="">ZF-7809</a>.</p>

    <p>I closed because I saw the need to improve the proposal because, it was too vague.</p>

    1. Dec 07, 2009

      <p>Ramon:<br />
      You wrote only an issue about adding a tidy filter.</p>

      <p>Tidy itself is not enough to produce secure and valid HTML.<br />
      The reason for this proposal is not only to provide valid HTML but also to provide secure HTML.</p>

      <p>Tidy is only one adapter for this proposal.</p>

      1. Dec 07, 2009


        <p>I understood perfectly the real need of building Zend_Filter_Html + Zend_Validate_Html.</p>

        <p>It would be great if both were included.
        <br class="atl-forced-newline" /></p>

  2. Apr 24, 2010

    <p>I'd very much like to see this component make its way into core and I'm willing to help out in any way I can.</p>

    <p>@Thomas - Do you have any sample code that illustrates how options would be set for each adapter? I've written custom filters using HTMLPurifier in previous projects. Would they be of any use to this proposal?</p>

    1. Apr 24, 2010

      <p>Until now this proposal was not accepted for core.<br />
      As long as it's not accepted I will not work on it or give pre-work to others.</p>

      <p>The reason is that in past many proposals were said to be rewritten and I want to prevent me to rewrite things multiple times.</p>

      <p>Sample code is of course helpful. If it's used or not depends on many things but it can show other ways of how to do things for one of the adapters.</p>

  3. Jul 28, 2010

    <p>Thomas, I assume you've heard about padraic's idea of writing a htmlpurifier alternative for ZF ( <a class="external-link" href=""></a> ). Once proposed, and if accepted, would it be a viable option to rely on this component in order to minimize duplication of functionality across the framework?</p>

    1. Jul 30, 2010

      <p>This proposal was written last year. At this time written paddy did not have had his idea and until now there is no proposal available within ZF.</p>

      <p>This proposal was intended to be an improvement for the old Zend_Filter_StripTags and should add a validator for HTML which was not available until then.</p>

      <p>When paddys "Wibble" can work as validator and as filter for html content, then this proposal is obsolet and can be archived.</p>

      <p>But as long as the related proposal is not available I would not archive it.</p>

      <p>When Wibble does not work at filter and validator but only as "HTMLPurifier" replacement then this proposal is not obsolet and can of course use Wibble as adapter.</p>

      <p>Another note: This proposal is intended for 2.0, not for 1.11 because we can not delete Zend_Filter_StripTags before 2.0 (BC problems)</p>

  4. Aug 09, 2010

    <p>Clearification:<br />
    This proposal is NOT intended to add a HTML sanitiser.<br />
    The intention for this filter is to provide a unified integration point for several HTML sanitisers which are available.</p>

    <p>This could be Tidy, HTMLPurifier, the newly proposed Wibble or any other.<br />
    All of them should be integrated by an adapter which will be used by this filter.</p>

    <p>Different than Zend_Filter_StripTags this filter will itself not change content but redirect to the adapter (Tidy for example) which does the job.</p>

    <p>Same goes for the proposed validator.</p>

    1. Aug 12, 2010

      <p>Tidy and HTMLPurifier do <em>very</em> different things. Tidy is intended to normalize markup so that it is in a valid state. HTMLPurifier also does this, but as the final step of a process that also includes scrubbing for XSS, CSRF, and other security vectors. As such, of the two potential adapters you list, only one satisfies the requirements you list in the proposal.</p>

      <p>While the adapter approach may make sense, I'm personally of the mind that we cannot claim this as a security-oriented filter unless it restricts usage to known good HTML sanitisers. Currently, there is only one PHP library that fully satisfies that criteria (HTMLPurifier), and one that is currently in proposal status for ZF (Wibble). I think we should postpone movement on this proposal until Wibble matures and/or have separate filters for HTMLPurifier and our ZF implementation.</p>