You want to remove HTML and PHP tags from a string or file. For example, you want to make sure there is no HTML in a string before printing it or PHP in a string before passing it to eval( ).
Use strip_tags( ) to remove HTML and PHP tags from a string, as shown in Example 13-52.
Removing HTML and PHP tags
Example 13-52 prints:
I love computer books.
To strip tags from a stream as you read it, use the string.strip_tags stream filter, as shown in Example 14-2.
Removing HTML and PHP tags from a stream
Both strip_tags( ) and the string.strip_tags filter can be told not to remove certain tags. Provide a string containing of allowable tags to strip_tags( ) as a second argument. The tag specification is case insensitive, and for pairs of tags, you only have to specify the opening tag. For example, to remove all but <b></b><i></i> tags from $html, call strip_tags($html,'<b><i>').
With the string.strip_tags filter, pass a similar string as a fourth argument to stream_filter_append( ). The third argument to stream_filter_append( ) controls whether the filter is applied on reading (STREAM_FILTER_READ), writing (STREAM_FILTER_WRITE), or both (STREAM_FILTER_ALL). Example 13-54 does what Example 14-2 does, but allows <b></b><i></i> tags.
Removing some HTML and PHP tags from a stream
stream_filter_append( ) also accepts an array of tag names instead of a string: array('b','i') instead of '<b><i>'.
13.14.4. See Also
Documentation on strip_tags( ) at http://www.php.net/strip-tags, on stream_filter_append( ) at http://www.php.net/stream_filter_append, and stream filters at http://www.php.net/filters. The PEAR package HTML_Safe attempts to remove unsafe content from HTML and is available at http://pear.php.net/package/HTML_Safe. 18.4 has more details on cross-site scripting.