HTML-Detoxifier reviews

RSS | Module Info

HTML-Detoxifier (0.02)

On the positive side the module has zero dependencies and installs without any issues. On the negative side, the lists of HTML tags in this module predate HTML5, and its <marquee> and <blink>-removing code is obsolete in 2017.

The module has problems compared to the alternatives. Given


x = y;


the command

detoxify ($html, disallow => [qw(everything)]);

just removes the <script> and </script> and leaves the x = y; part, which is definitely not desirable.

Although the module seems to represent quite a lot of work, the most recent update was in 2004, to version 0.02, so I recommend considering alternative modules like HTML::Restrict, HTML::Strip, or HTML::Scrubber, all of which will remove the text between <script> and </script> tags.

For a list of similar modules and links to other reviews, please see my page at

HTML-Detoxifier (0.02) **

This module seems nicely constructed and documented, but I wouldn't use it for XSS protection. Choosing the 'dynamic' option would lead you to believe that all JavaScript would be covered, but I don't believe it covers in-line JavaScript, like <img src="javascript:foo()">.

HTML-Detoxifier (0.02) *****

Nice module, it works very well, as well as HTML::Scrubber (both are way more accurate than HTML::Strip).
Contrary to HTML::Scrubber, it offers a functional interface instead of an OO interface. HTML::Scrubber also permits a finer grain control over the tags to allow/disallow, while this module groups them by category (though most of the times this is perfectly appropriate, sufficient and even easier to deal with).