PHP: strip_tags

Description

string strip_tags ( string str [, string allowable_tags] )

This function tries to return a string with all HTML and PHP tags stripped from a given str. It uses the same tag stripping state machine as the fgetss() function.

You can use the optional second parameter to specify tags which should not be stripped.

Notatka: allowable_tags was added in PHP 3.0.13 and PHP 4.0b3.
Since PHP 4.3.0, HTML comments are also stripped. This is hardcoded and can not be changed with allowable_tags.

Ostrzeżenie

Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected.

Ostrzeżenie

This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

Przykład 1. strip_tags() example


<?php

$text = '<p>Test paragraph.</p><!-- Comment --> Other text';

echo strip_tags($text);

echo "\n";



// Allow <p>

echo strip_tags($text, '<p>');

?>

Powyższy przykład wyświetli:

Test paragraph. Other text
<p>Test paragraph.</p> Other text

strip_tags() has been binary safe since PHP 5.0.0

See also htmlspecialchars().

User Contributed Notes


<?php



function remove_tag ( $tag , $data ) {

    

    while ( eregi ( "<" . $tag , $data ) ) {

        

        $it    = stripos ( $data , "<" . $tag   ) ;

                

        $it2   = stripos ( $data , "</" . $tag . ">" ) + strlen ( $tag ) + 3 ;

                

        $temp  = substr ( $data , 0    , $it  ) ;

    

        $temp2 = substr ( $data , $it2 , strlen ( $data ) ) ;

        

        $data = $temp . $temp2 ;

            

    }

    

    return $data ;

    

}



?>



this code will remove only and all of the specified tag from a given haystack.


I think the Regular expression posted <a href=function.strip-tags.php#51383>HERE</a>  is not correct



<?php

$disalowedtags = array("font");



foreach ($_GET as $varname) 

foreach ($disalowedtags as $tag) 



----------------------------------------------------------

if (eregi("<[^>]*".$tag."*\"?[^>]*>", $varname)) <---

----------------------------------------------------------



die("stop that");



?> 



this function also replaces  links like this :

<a href=font.php>test</a> 

because word "font" is between tags "<" ">".



I changed reg exp with this

-----------------------------------------------------

if (eregi("(<|</)".$tag."*\"?[^>]*>", $varname))

-----------------------------------------------------



bye 



Luca


Note for BRYN at drumdatabse dot com (http://www.php.net/manual/fr/function.strip-tags.php#52085) :



I've changed your script to support more possibilities.

- The first WHILE loop reiterates the second WHILE to strip_tags the html tags which possibly are cuted by the substr() function (and not recognized by the strip_tags() function)

- There's no more bugs with substr($textstring,0,1024) ... yes, when the WHILE loop reiterates for the second, third, fourth... time, if the length of $textstring is smaller than 1024 it returns error



<?php

function strip_tags_in_big_string($textstring){

while($textstring != strip_tags($textstring))

    {

    while (strlen($textstring) != 0)

         {

         if (strlen($textstring) > 1024) {

              $otherlen = 1024;

         } else {

              $otherlen = strlen($textstring);

         }

         $temptext = strip_tags(substr($textstring,0,$otherlen));

         $safetext .= $temptext;

         $textstring = substr_replace($textstring,'',0,$otherlen);

         }   

    $textstring = $safetext;

    }

return $textstring;

?>


Please note that the function supplied by daneel at neezine dot net is not a good way of avoiding XSS attacks. A string like 

<font size=">>" <script>alert("foo")</script> face="tahoma" color="#DD0000">salut</font> 

will be sanitized to 

<font>>" <script>alert("foo")</script> face="tahoma" color="#DD0000">salut</font>

which is a pretty good XSS.



If you are in need of XSS cleaning, you might want to consider the Pixel-Apes XSS cleaner: http://pixel-apes.com/safehtml