HTML Purifier is a standards-compliant HTML filter library. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

HTML Purifier is very tasty when combined with WYSIWYG editors and is more comprehensive, standards-compliant, permissive and extensive than Drupal's built-in filtered HTML option, which uses a derivative of kses. You can read more about it at this comparison page. Want custom fonts, tables, inline styling, images, and more? Want just a restricted tag set but bullet-proof standards-compliant output? HTML Purifier is for you!

The HTML Purifier module is licensed under GPL v2 or later, however, the HTML Purifier library itself is licensed under LGPL v2.1 or later.

Want to give it a test drive? Try it out on


  1. Place the htmlpurifier folder for this plugin in your drupal modules directory.
  2. Download HTML Purifier from
  3. If you have the libraries API installed, extract the resulting folder and place it inside your site/all/libraries folder as "htmlpurifier", so that site/all/libraries/htmlpurifier/library/ exists
  4. Otherwise, extract the "library" folder and place it inside your modules/htmlpurifier
    directory, so that modules/htmlpurifier/library/ exists
  5. Go to Administer > Site building > Modules and enable this module
  6. You can now create a new input format or add the HTML Purifier to an existing input format. It is recommended that you place HTML Purifier as the last filter in the input format. Reorder the filters if necessary.
  7. You can customize filter options by going to Site Configuration > Input formats > configure

HTML Purifier v4.5.0+ & htmlpurifier.module 7.x-2.x
If you are using the latest 4.5.0 library version of HTML Purifier with the 2.x branch, make sure you use the Standard download. Alternatively, you can use the lite version but you must manually create a VERSION file in the root htmlpurifier library folder that lists the appropriate version of HTML Purifier.


  1. FCKEditor (D6 only) generates bogus numeric name attributes, to pass them through the filter use the configuration option HTML.Attr.Name.UseCDATA on the advanced configuration page.
  2. By default, external images are not allowed (this is how Filter HTML works too). You can enable external images by setting URI.DisableExternalResources off.

Comprehensive installation instructions can be found in the INSTALL.txt file.

Other Resources

HTML Purifier, WYSIWYG, and TinyMCE - shared at TriDUG by cgmonroe on 04/16/2013

Supporting organizations: 

Project information

  • caution Minimally maintained
    Maintainers monitor issues, but fast responses are not guaranteed.
  • caution No further development
    No longer developed by its maintainers.
  • chart icon9,002 sites report using this module
  • shieldStable releases for this project are covered by the security advisory policy.
    Look for the shield icon below.