Extension:HTMLPurifier

**MediaWiki extensions manual**
HTMLPurifier; Release status: beta
Implementation	Tag
Description	Allows users to input raw HTML by using HTML Purifier to sanitize it.
Author(s)	Sophivorustalk
Latest version	4.1
MediaWiki	>= 1.35.0
Database changes	No
License	GNU General Public License 3.0 or later
Download	Download extension ; Git [?]: Download Git master; browse repository (GitHub); commit history; repository contributors (GitHub); code review;
Example	[1]
	Hooks used ParserFirstCallInit;
Quarterly downloads	6 (Ranked 134th)
	Translate the HTMLPurifier extension if it is available at translatewiki.net

The HTMLPurifier extension allows users to input raw HTML by using HTML Purifier to sanitize it.

Installation

Download and move the extracted HTMLPurifier folder to your extensions/ directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/ git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/HTMLPurifier
Only when installing from Git, run Composer to install PHP dependencies, by issuing composer install --no-dev in the extension directory. (See task T173141 for potential complications.)
Add the following code at the bottom of your LocalSettings.php file:
```
wfLoadExtension( 'HTMLPurifier' );
```
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Usage

Once installed, users will be able to use the <html> tag to input HTML in any page, like so:

<html>This <a href="https://example.com/">link</a> was done with HTML rather than wikitext!</html>

To avoid security risks, all HTML is passed through HTML Purifier, a mature and thoroughly audited PHP library that strips off all malicious and suspect code.

Configuration

The only configuration option is an associative array that controls the configuration of HTML Purifier itself. For example:

$wgHTMLPurifierConfig = [
	'Cache.SerializerPath' => $wgCacheDirectory, // Use the MediaWiki cache directory for HTML Purifier
	'Attr.EnableID' => true, // Allow ID attributes
	'CSS.Trusted' => true, // Allow inline styling
];

The extension has a HTMLPurifierBeforePurify hook to do more advanced configurations. For example, to allow <video> tags, add the following to your LocalSettings.php (see this documentation for more):

$wgHooks['HTMLPurifierBeforePurify'][] = function ( &$config ) {
	$definition = $htmlPurifierConfig->getHTMLDefinition(true);
	$definition->addElement( 'video',
		'Block', // content set
		'Flow', // allowed children
		'Common', // attribute collection
		[ // attributes
			'src' => 'URI',
			'width' => 'Length',
			'height' => 'Length',
			'controls' => 'Bool'
		]
	);
};

The extension also has a HTMLPurifierAfterPurify hook to further transform the purified HTML. For example, to reintroduce extracted <style> tags, add the following to your LocalSettings.php:

$wgHTMLPurifierConfig['Filter.ExtractStyleBlocks'] = true;
$wgHooks['HTMLPurifierAfterPurify'][] = function ( &$html, $purifier ) {
	$styles = $purifier->context->get( 'StyleBlocks' );
	foreach ( $styles as $i => $style ) {
		$html .= "<style>$style</style>";
	}
};

HTMLPurifier Release status: beta
Implementation	Tag
Description	Allows users to input raw HTML by using HTML Purifier to sanitize it.
Author(s)	Sophivorus^talk
Latest version	4.1
MediaWiki	>= 1.35.0
Database changes	No
License	GNU General Public License 3.0 or later
Download	Download extension Git ^[?]: Download Git master browse repository (GitHub) commit history repository contributors (GitHub) code review
Example	[1]
Hooks used ParserFirstCallInit
Quarterly downloads	6 (Ranked 134^th)
Translate the HTMLPurifier extension if it is available at translatewiki.net

Installation

Usage

Configuration

See also