Last updated 28 April 2015. Created on 22 June 2014.
Edited by dsc8248, margyly, heddn, koffer. Log in to edit this page.

HTML Purifier is a standards-compliant HTML filter library. It will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.


PREREQUISITES: Make sure you check HTML Purifier and make sure that you have fulfilled all of its requirements before running this. Specifically, you'll need the PHP extension ctype (in almost all PHP distributions), and it's nice to have dom and iconv.

Step 1. Place the htmlpurifier folder in your drupal modules directory.

Step 2. Download HTML Purifier from You will need 4.0.0 or later.

There are two locations you can install the HTML Purifier library.

* Module directory installation. This means installing the library folder under the module directory, so that the file sites//modules/htmlpurifier/library/ exists. The easiest way to do this is to extract the entire htmlpurifier-x.y.z folder, and then copy the htmlpurifier-x.y.z/library folder to your module. This method is convenient and simple, but does not permit HTML Purifier to be shared with other modules and can make upgrading the Drupal module a little complicated.

* The preferred way is making use of the libraries API, This makes the library
available to all sites or to a specific site in a multisite Drupal setup. You'll need to download the libraries API module and enable it before enabling the htmlpurifier module so that in the install phase it can find the library.

Step 3. Extract the htmlpurifier-x.y.z archive to sites/all/libraries/htmlpurifier or to sites//libraries/htmlpurifier for a specific site in a multisite Drupal setup. You can get away with just placing the library folder, so that sites//libraries/htmlpurifier/library exists (see below).

The final setup should be, when making the library and module available to all sites:


Now you can safely upgrade your htmlpurifier module without having to re-deploy the HTML Purifier library.

Step 4. Go to Administer > Modules and enable this module.

Using HTML Purifier

You can now create a new text format or add the HTML Purifier to an existing text format. It is recommended that you place HTML Purifier as the last filter in the text format. Reorder the filters if necessary.

WARNING: Due to HTML Purifier's caching mechanism, dynamic filters MUST NOT be placed before HTML Purifier.

For further documentation on the upstream library, visit

Looking for support? Visit the forums, or join #drupal-support in IRC.