WebAPP/app/Services/HtmlSanitizerService.php

<?php

namespace App\Services;

use HTMLPurifier;
use HTMLPurifier_Config;

class HtmlSanitizerService
{
    private HTMLPurifier $purifier;

    public function __construct()
    {
        $config = HTMLPurifier_Config::createDefault();
        $config->set('HTML.Allowed', 'p,br,strong,b,em,i,u,ul,ol,li,a[href|target],h2[id],h3[id],h4[id],blockquote,span[style]');
        $config->set('CSS.AllowedProperties', 'color,background-color');
        $config->set('HTML.TargetBlank', true);
        $config->set('AutoFormat.RemoveEmpty', true);
        // DOM-Clobbering-Schutz: IDs in User-Content prefixen (V18)
        $config->set('Attr.IDPrefix', 'uc-');
        $config->set('Cache.SerializerPath', storage_path('app/purifier'));

        $this->purifier = new HTMLPurifier($config);
    }

    public function sanitize(string $dirtyHtml): string
    {
        return $this->purifier->purify($dirtyHtml);
    }
}