Recipe 13.14. Removing HTML and PHP Tags

Previous page
Table of content
Next page

13.14.1. Problem

You want to remove HTML and PHP tags from a string or file. For example, you want to make sure there is no HTML in a string before printing it or PHP in a string before passing it to eval( ).

13.14.2. Solution

Use strip_tags( ) to remove HTML and PHP tags from a string, as shown in Example 13-52.

Removing HTML and PHP tags

<?php $html = '<a href="http://www.oreilly.com">I <b>love computer books.</b></a>          <?php echo "Hello!" ?>'; print strip_tags($html); ?>

Example 13-52 prints:

I love computer books.

To strip tags from a stream as you read it, use the string.strip_tags stream filter, as shown in Example 14-2.

Removing HTML and PHP tags from a stream

<?php $stream = fopen('elephant.html','r'); stream_filter_append($stream, 'string.strip_tags'); print stream_get_contents($stream); ?>

13.14.3. Discussion

Both strip_tags( ) and the string.strip_tags filter can be told not to remove certain tags. Provide a string containing of allowable tags to strip_tags( ) as a second argument. The tag specification is case insensitive, and for pairs of tags, you only have to specify the opening tag. For example, to remove all but <b></b><i></i> tags from $html, call strip_tags($html,'<b><i>').

With the string.strip_tags filter, pass a similar string as a fourth argument to stream_filter_append( ). The third argument to stream_filter_append( ) controls whether the filter is applied on reading (STREAM_FILTER_READ), writing (STREAM_FILTER_WRITE), or both (STREAM_FILTER_ALL). Example 13-54 does what Example 14-2 does, but allows <b></b><i></i> tags.

Removing some HTML and PHP tags from a stream

<?php $stream = fopen('elephant.html','r'); stream_filter_append($stream, 'string.strip_tags',STREAM_FILTER_READ,'<b><i>'); print stream_get_contents($stream); ?>

stream_filter_append( ) also accepts an array of tag names instead of a string: array('b','i') instead of '<b><i>'.

Whether with strip_tags( ) or the stream filter, attributes are not removed from allowed tags. This means that an attribute that changes display (such as style) or executes JavaScript (any event handler) is preserved. If you are displaying "stripped" text of arbitrary origin in a web browser to a user, this could result in cross-site scripting attacks.

13.14.4. See Also

Documentation on strip_tags( ) at http://www.php.net/strip-tags, on stream_filter_append( ) at http://www.php.net/stream_filter_append, and stream filters at http://www.php.net/filters. The PEAR package HTML_Safe attempts to remove unsafe content from HTML and is available at http://pear.php.net/package/HTML_Safe. 18.4 has more details on cross-site scripting.



Previous page
Table of content
Next page
PHP Cookbook, 2nd Edition
PHP Cookbook: Solutions and Examples for PHP Programmers
ISBN: 0596101015
EAN: 2147483647
Year: 2006
Pages: 445
Authors: Adam Trachtenberg, David Sklar
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
The .NET Developers Guide to Directory Services Programming
VBScript Programmers Reference
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Twisted Network Programming Essentials
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy