If you have forms where you allow users to submit HTML content you will want to filter that so you can be sure that no malicious code gets through, some WYSIWYG editors do this but not all but still as we are paranoid backend developers we don’t trust any input submitted by users.

Filtering data is rather trivial in Zend Framework as we have a built in filter called ‘StripTags’ but with HTML we want those tags! We could use BBCode or Markdown but these are not as user friendly as a WYSIWYG editor like Summernote, TinyMCE or CKEditor. So what can we do? This is where HTML Purifier comes to our aid and it’s quite easy to integrate into Zend Framework.

In the follow code examples I am using PHP 7 syntax as there are great new features in PHP 7, also I am in the process of upgrading my Zend Framework 2 code to Zend Framework 3 so the examples will be  Zend Framwork 3 ready but work also in Zend Framework 2, (upgrading all my code is going to take some time).

First we have to include the HTML Purifier code library and as we are using Composer this is easy. (if you are not using Composer then you will have to add the library manually.)

Once that’s done we can write our filter which we will extend ‘Zend\Filter\AbstractFilter’. The basics of HTML Purifier is mind numbingly simple, to filter your code the basic principle is

So with this knowledge let’s integrate this filter into Zend Framwork so first let’s make our filter class which I will put in my module folder in this case ‘/module/Application/src/Application/Filter’, notice I am still using the Zend Framework 2 module layout. So our Filter class will look like

This is a Straight forward filter where the constructor expects an HTMLPurifier class instance and the filter method expects to return a purified string. To be able to use this filter plugin in a Zend\Form we have to tell the FilterPluginManager about it but as we said the constructor expects the HTMLPurifier instance so to get that into the constructor we will need to write a Factory class which we will create in  ‘/module/Application/src/Application/Filter/Service’ called ‘HtmlPurifierFactory’ and would look like

This code is ZF3 compatible we have have  ‘createService’ and ‘setCreationOptions’ which are needed for ZF2 which just then calls the ‘__invoke’ method which is for ZF3, correct me if I’m wrong! Still getting my head around all the new changes in ZF3. In the ‘__invoke’ method we call the ‘ServiceLocator’ to get the application config array and specifically ask for the key ‘html_purifier’ this is where our HTML Purifier options will live also we merge this with the options passed in so that in our form we can override or add new options specific to what we want.

Next we have to tell the plugin helper about our new filter so in ‘/module/Application/config/module.config.php’ we will add a new key like

Now make a config file in our ‘/config/autoload’ folder called ‘htmlpurifier.local.php’ for our options, for this we will just have one option which is the cache directory so

Now it’s time to make our form. So make a new file in ‘/module/Application/src/Application/Form’ called ‘BlogPost.php’ like (this is for demo only just modify your forms according).

Here you can see we have added our filters for the form element ‘html’ and our new Filter ‘HtmlPurifierFilter’, here you can add any other options to pass on to HTMLPurifier. Now tell the Service Manager where to find our form so back in ‘/module/Application/config/module.config.php’ add

Now when you call your form from the ‘FormElementManager’ it will automatically add our filters and validators and in this case filter any html and remove any JavaScript and clean up the html.

So it’s over to you now, any improvements or things I got wrong or general chat let me know in the comments below and as always

Happy Coding!