13.14.1. ProblemYou want to remove HTML and PHP tags from a string or file. For example, you want to make sure there is no HTML in a string before printing it or PHP in a string before passing it to eval( ). 13.14.2. SolutionUse strip_tags( ) to remove HTML and PHP tags from a string, as shown in Example 13-52. Removing HTML and PHP tags
Example 13-52 prints: I love computer books. To strip tags from a stream as you read it, use the string.strip_tags stream filter, as shown in Example 14-2. Removing HTML and PHP tags from a stream
13.14.3. DiscussionBoth strip_tags( ) and the string.strip_tags filter can be told not to remove certain tags. Provide a string containing of allowable tags to strip_tags( ) as a second argument. The tag specification is case insensitive, and for pairs of tags, you only have to specify the opening tag. For example, to remove all but <b></b><i></i> tags from $html, call strip_tags($html,'<b><i>'). With the string.strip_tags filter, pass a similar string as a fourth argument to stream_filter_append( ). The third argument to stream_filter_append( ) controls whether the filter is applied on reading (STREAM_FILTER_READ), writing (STREAM_FILTER_WRITE), or both (STREAM_FILTER_ALL). Example 13-54 does what Example 14-2 does, but allows <b></b><i></i> tags. Removing some HTML and PHP tags from a stream
stream_filter_append( ) also accepts an array of tag names instead of a string: array('b','i') instead of '<b><i>'. Whether with strip_tags( ) or the stream filter, attributes are not removed from allowed tags. This means that an attribute that changes display (such as style) or executes JavaScript (any event handler) is preserved. If you are displaying "stripped" text of arbitrary origin in a web browser to a user, this could result in cross-site scripting attacks. 13.14.4. See AlsoDocumentation on strip_tags( ) at http://www.php.net/strip-tags, on stream_filter_append( ) at http://www.php.net/stream_filter_append, and stream filters at http://www.php.net/filters. The PEAR package HTML_Safe attempts to remove unsafe content from HTML and is available at http://pear.php.net/package/HTML_Safe. 18.4 has more details on cross-site scripting. |