Which function is used to remove all html tags from string passed to a form in php?

doug at exploittheweb dot com ¶

7 years ago

"5.3.4    strip_tags[] no longer strips self-closing XHTML tags unless the self-closing XHTML tag is also given in allowable_tags."

This is poorly worded.

The above seems to be saying that, since 5.3.4, if you don't specify "
" in allowable_tags then "
" will not be stripped... but that's not actually what they're trying to say.

What it means is, in versions prior to 5.3.4, it "strips self-closing XHTML tags unless the self-closing XHTML tag is also given in allowable_tags", and that since 5.3.4 this is no longer the case.

So what reads as "no longer strips self-closing tags [unless the self-closing XHTML tag is also given in allowable_tags]" is actually saying "no longer [strips self-closing tags unless the self-closing XHTML tag is also given in allowable_tags]".

i.e.

pre-5.3.4: strip_tags['Hello World

','
'] => 'Hello World
' // strips
because it wasn't explicitly specified in allowable_tags

5.3.4 and later: strip_tags['Hello World

','
'] => 'Hello World

' // does not strip
because PHP matches it with
in allowable_tags

Dr. Gianluigi "Zane" Zanettini ¶

6 years ago

A word of caution. strip_tags[] can actually be used for input validation as long as you remove ANY tag. As soon as you accept a single tag [2nd parameter], you are opening up a security hole such as this:

Plus: regexing away attributes or code block is really not the right solution. For effective input validation when using strip_tags[] with even a single tag accepted, //htmlpurifier.org/ is the way to go.

stever at starburstpublishing dot com dot au ¶

6 years ago

Since strip_tags does not remove attributes and thus creates a potential XSS security hole, here is a small function I wrote to allow only specific tags with specific attributes and strip all other tags and attributes.

If you only allow formatting tags such as b, i, and p, and styling attributes such as class, id and style, this will strip all javascript including event triggers in formatting tags.

Note that allowing anchor tags or href attributes opens another potential security hole that this solution won't protect against. You'll need more comprehensive protection if you plan to allow links in your text.

abe ¶

1 year ago

Note, strip_tags will remove anything looking like a tag - not just tags - i.e. if you have tags in attributes then they may be removed too,

e.g.