strcspn
Hi. I made a function that removes the HTML tags along with their contents:
Function:
<?php
function strip_tags_content($text, $tags = '', $invert = FALSE) {
preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags);
$tags = array_unique($tags[1]);
if(is_array($tags) AND count($tags) > 0) {
if($invert == FALSE) {
return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text);
}
else {
return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text);
}
}
elseif($invert == FALSE) {
return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
}
return $text;
}
?>
Sample text:
$text = '<b>sample</b> text with <div>tags</div>';
Result for strip_tags($text):
sample text with tags
Result for strip_tags_content($text):
text with
Result for strip_tags_content($text, '<b>'):
<b>sample</b> text with
Result for strip_tags_content($text, '<b>', TRUE);
text with <div>tags</div>
I hope that someone is useful :) The exact explanation for Polish PHP programmers at http://www.tarnaski.eu/blog/rozszerzone-strip_tags/
add a note
User Contributed Notesstrip_tags
mariusz.tarnaski at wp dot pl
12-Nov-2008 08:05
12-Nov-2008 08:05
lucky760 at VideoSift dot com
20-Oct-2008 10:21
20-Oct-2008 10:21
It's come to my attention that PHP's strip_tags has been doing something funky to some video embed codes that our members submit. I'm not sure the exact situation, but whenever there is a <param> tag that is very long, strip_tags() will completely remove the tag even though it's specified as an allowable tag.
Here's an example of the existing problem:
<?php
// a single very long <param> tag
$html =<<<EOF
<param name="flashVars" value="skin=http%3A//cdn-i.dmdentertainm
...[snip]...
vie%20of%20All-Time"/>
EOF;
echo strip_tags($html, '<param>');
// this outputs an empty string
?>
This is the function I built to fix and extend the functionality of strip_tags(). The args are:
- $i_html - the HTML string to be parsed
- $i_allowedtags - an array of allowed tag names
- $i_trimtext - whether or not to strip all text outside of the allowed tags
<?php
function real_strip_tags($i_html, $i_allowedtags = array(), $i_trimtext = FALSE) {
if (!is_array($i_allowedtags))
$i_allowedtags = !empty($i_allowedtags) ? array($i_allowedtags) : array();
$tags = implode('|', $i_allowedtags);
if (empty($tags))
$tags = '[a-z]+';
preg_match_all('@</?\s*(' . $tags . ')(\s+[a-z_]+=(\'[^\']+\'|"[^"]+"))*\s*/?>@i', $i_html, $matches);
$full_tags = $matches[0];
$tag_names = $matches[1];
foreach ($full_tags as $i => $full_tag) {
if (!in_array($tag_names[$i], $i_allowedtags))
if ($i_trimtext)
unset($full_tags[$i]);
else
$i_html = str_replace($full_tag, '', $i_html);
}
return $i_trimtext ? implode('', $full_tags) : $i_html;
}
?>
And here's an example with the a block of full video embed code with <object><embed><param> and some extraneous HTML:
<?php
$html =<<<EOF
<em><div><object type="application/x-shock
...[snip]...
me.html">Wal-Mart Makes The Worst Movie of All-Time</a> -- powered by whatever</div></em>
EOF;
$good_html = real_strip_tags($html, array('object', 'embed', 'param'), TRUE);
?>
Now $good_html contains only the specified tags and none of the "powered by" type text. I hope someone finds this as useful as I needed it to be. :)
southsentry at yahoo dot com
25-Sep-2008 09:15
25-Sep-2008 09:15
I was looking for a simple way to ban html from review posts, and the like. I have seen a few classes to do it. This line, while it doesn't strip the post, effectively blocks people from posting html in review and other forms.
<?php
if (strlen(strip_tags($review)) < strlen($review)) {
return false;
}
?>
If you want to further get by the tricksters that use & for html links, include this:
<?php
if (strlen(strip_tags($review)) < strlen($review)) {
return false;
} elseif ( strpos($review, "&") !== false) {
return 5;
}
?>
I hope this helps someone out!
valentin -DOT- moreira -AT- atapear.com
15-Sep-2008 08:43
15-Sep-2008 08:43
The following function has a small error:
<?
function html2txt($document){
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}
?>
It´s a great function and work fine!, but don´t erase the inline <style> code.
This function only works 100% fine changing the regexp order to this:
<?
function html2txt($document){
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}
?>
mdw252 at psu dot edu
13-Sep-2008 11:58
13-Sep-2008 11:58
I think I may have come up with a pretty simple white-list based approach to attribute management. It's kind of hack-ish, but it's been pretty resilient with everything I've thrown at it. Check it out:
function stripAttributes($string)
{
$string=preg_replace('/(<a.*)href=(.*>)/', '${1}href..;,;..${2}', $string);
$string=preg_replace('/(<.*)id=(.*>)/', '${1}id..;,;..${2}', $string);
$string=preg_replace('/(<.*)class=(.*>)/', '${1}class..;,;..${2}', $string);
while(preg_match('/(<.*) .*=(\'|"|\w)\w*(\'|"|\w)(.*>)/', $string)) $string=preg_replace('/(<.*) .*=(\'|"|\w)\w*(\'|"|\w)(.*>)/', '${1}${4}', $string);
$string=str_replace('..;,;..', '=', $string);
return $string;
}
As you can see, I have it set to only allow href (in <a> tags), id, and class attributes, and everything else will be deleted. It should be pretty self-explanatory to customize it to your own purposes.
Liam Morland
23-Aug-2008 05:58
23-Aug-2008 05:58
Here is a suggestion for getting rid of attributes: After you run your HTML through strip_tags(), use the DOM interface to parse the HTML. Recursively walk through the DOM tree and remove any unwanted attributes. Serialize the DOM back to the HTML string.
Don't make the default permit mistake: Make a list of the attributes you want to ALLOW and remove any others, rather than removing a specific list, which may be missing something important.
Logic
15-Jun-2008 03:58
15-Jun-2008 03:58
Remember sometimes with regex it's easier to list what you want to keep instead of everything you do not want. Not to mention this makes it easier on the server. With html attributes there may only be a select few you would want to keep.
Rather than an array that says
$trash = array('a','b','d','f','g');
You could use
$keep = array('c','e');
Simply remember your ^not operator in your final regex.
razonklnbd at hotmail dot com
10-Jun-2008 02:45
10-Jun-2008 02:45
When I attempt to use strip_tags it didn't strip text of that string. But I need to strip text all the text into an html page header code. This function will perform it operation like following way...
1. Check if string contain "<body>" tag
2. If found then keep the body text and remove other staff like css, js or any
3. Then do strip_tag function
Its a small but handy function... so I like to share.
Function Definition:
function extractBodyText($p_str, $p_allowedtag=NULL){
$fstr=(preg_match('/<body[^>]*>(.*?)<\/body>/si', $p_str, $regs)?$fstr=$regs[1]:$p_str);
$rtrn=(isset($p_allowedtag)?strip_tags($fstr, $p_allowedtag):strip_tags($fstr));
return $rtrn;
}
Example:
$str01='
<dd>
<p class="para">
You can use the optional second parameter to specify tags which should
not be stripped.
</p>
<blockquote><p><b class="note">Note</b>:
HTML comments and PHP tags are also stripped. This is hardcoded and
can not be changed with <i><tt class="parameter">allowable_tags</tt></i>.
<br />
</p></blockquote>
</dd>
';
$str='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
'.$str01.'
</body>
</html>
';
echo('<div>'.extractBodyText($str, '<p>').'</div>');
echo('<div>'.extractBodyText($str01).'</div>');
echo('<div>'.strip_tags($str, '<p>').'</div>');
Result:
<div>
<p class="para">
You can use the optional second parameter to specify tags which should
not be stripped.
</p>
<p>Note:
HTML comments and PHP tags are also stripped. This is hardcoded and
can not be changed with allowable_tags.
</p>
</div><div>
You can use the optional second parameter to specify tags which should
not be stripped.
Note:
HTML comments and PHP tags are also stripped. This is hardcoded and
can not be changed with allowable_tags.
</div><div>
Untitled Document
<p class="para">
You can use the optional second parameter to specify tags which should
not be stripped.
</p>
<p>Note:
HTML comments and PHP tags are also stripped. This is hardcoded and
can not be changed with allowable_tags.
</p>
</div>
ZlobnyNigga
21-May-2008 09:14
21-May-2008 09:14
Attempts to write stip_tags_attributes function looks like endless loop of finding vulnerabilities in function, patching them, then again vulnerabilities, then again patch...
I decided to use HTML_Safe package from http://pear.php.net/package/HTML_Safe
I works fine, but, of course, it is slower then functions written below. You decide =)
Massoud Abbagash
07-May-2008 03:56
07-May-2008 03:56
Danno, your script has a flaw.
Try this :
<?php
function strip_tags_keep_links($sSource)
{
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/\b((?![hH][rR][eE][fF]\b)\w+)[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource,'<a>'));
}
$source = "<a href=javascript:alert('doesn\'t work!') title=\"move your mouse here\" href=http://www.a_web_site.org onmouseover\n=\nalert(\"doesn\'t work!\") onmouseover='alert(\"doesn\'t work!\")' alt=\"move your mouse here\" > test</a>";
$result=strip_tags_keep_links($source);
echo($result);
?>
Massoud Abbagash
07-May-2008 03:26
07-May-2008 03:26
There is still a flaw in your function.
Look at this, the [onmouseover] sample script below remains. Even after the treatment with the function [strip_tags_attributes].
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavaible', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragdrop', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterupdate', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmoveout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'))
{
if (empty($aDisabledAttributes)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags)));
}
$source="<big onmouseover=alert('Hello!')>Move your mouse here (this doesn't work with [ strip_tags_attributes ])</big>";
$striped_source=strip_tags_attributes($source,array('<big>'));
echo($striped_source);
?>
Now,this is my correction:
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavaible', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragdrop', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterupdate', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmoveout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'))
{
if (empty($aDisabledAttributes)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/\s(' . implode('|', $aDisabledAttributes) . ').*?([\s\>])/', '\\2', preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags))) );
}
$source="<big onmouseover=alert('Hello!')>Move your mouse here (this work with [ strip_tags_attributes corrected ])</big>";
$striped_source=strip_tags_attributes($source,array('<big>'));
echo($striped_source);
?>
bluej100@gmail
02-May-2008 12:31
02-May-2008 12:31
Allowing user HTML while preventing XSS is non-trivial. Don't just try to hack together a regexp for it; at very least, check your solution against all of the ha.ckers.org exploit examples:
http://ha.ckers.org/xss.html
Really, though, you should be using a solid library that recognizes tags, attributes, and styles from a whitelist and rebuilds the markup from scratch. HTMLPurifier has a "linkify" option that does what you're looking for.
http://htmlpurifier.org
LK
19-Apr-2008 04:30
19-Apr-2008 04:30
Concerning all of the notes about which attributes to include in strip_tags_attributes(), the latest of which is by Kalle Sommer Nielsen:
Correct me if I'm wrong, but isn't it a lot easier to simply reject any attribute that starts with "on"? Thus, the whole array of various javascript attributes could be replaced with "on\w+".
I am not aware of any non-javascript attributes that start with these two letters, and if there were, it would be easier to make an exception for them than for the countless JS attributes.
Danno
08-Apr-2008 01:20
08-Apr-2008 01:20
Hi everyone,
I came across this thread looking for a way to strip out all tags but links and leaving only the HREF attribute. I took what you guys have worked on and made it allow only the HREF attribute. This way even if the spec changes you are sure to not let any javascript sneak in, who knows what the future will bring :P . So I think its pretty tight, take a look at it and modify if you see any holes.
<?php
function strip_tags_keep_links($sSource)
{
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/\b((?![hH][rR][eE][fF]\b)\w+)[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource,'<a>'));
}
?>
Kalle Sommer Nielsen
30-Mar-2008 03:05
30-Mar-2008 03:05
This adds alot of missing javascript events on the strip_tags_attributes() function from below entries.
Props to MSDN for lots of them ;)
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavaible', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragdrop', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterupdate', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmoveout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'))
{
if (empty($aDisabledAttributes)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags)));
}
?>
sych
13-Mar-2008 08:26
13-Mar-2008 08:26
brian, this solution is not good, because there are events that you will forget any way. Like, with this code you are vulnerable to attr "onMouseEnter" and tons of others that actually exist in javascript specs.
brian at diamondsea dot com
03-Mar-2008 11:47
03-Mar-2008 11:47
An update agolna's update to sbritton's function:
Adds additional javascript events to the aDisabledAttributes array.
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onabort', 'onblue', 'onchange', 'onclick', 'ondblclick', 'onerror', 'onfocus', 'onkeydown', 'onkeyup', 'onload', 'onmousedown', 'onmousemove', 'onmouseover', 'onmouseup', 'onreset', 'onresize', 'onselect', 'onsubmit', 'onunload'))
{
if (empty($aDisabledAttributes)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags)));
}
?>
agolna at gmail dot com
28-Feb-2008 07:37
28-Feb-2008 07:37
An update to sbritton's function:
If you have whitespace between the = sign and the attribute, it would bypass the regex. This updates that.
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onclick', 'ondblclick', 'onkeydown', 'onkeypress', 'onkeyup', 'onload', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onunload'))
{
if (empty($aDisabledAttributes)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags)));
}
?>
ZlobnyNigga
21-Feb-2008 08:22
21-Feb-2008 08:22
sbritton's function is not so good...
<?php
$str = "<p onmouseover = 'alert(1);'>123</p>";
echo strip_tags_attributes($str);
?>
sbritton
04-Feb-2008 10:35
04-Feb-2008 10:35
The function below corrects a typo in y5's function to strip tags and attributes - it also adds lithium1330's recommended 's' parameter:
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onclick', 'ondblclick', 'onkeydown', 'onkeypress', 'onkeyup', 'onload', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onunload'))
{
if (empty($aDisabledAttributes)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")=[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags)));
}
?>
lithium1330[(at)]msn.com
25-Jan-2008 04:02
25-Jan-2008 04:02
Please note: in the code given by y5, Tony Freeman, tREXX [www.trexx.ch] and maybe others, you need to use the modifier "s" at the end of the preg_replace()'s regex (/ies) in order to strip attributes that have a line break before them, otherwise those attributes wont be stripped.
bstrick at gmail dot com
15-Jan-2008 09:52
15-Jan-2008 09:52
This will strip all PHP and HTML out of a file. Leaves only plain txt.
// Open the search file
$file = fopen($filename, 'r');
// Get rid of all PHP code.
$search = array('/<\?((?!\?>).)*\?>/s');
$text = fread($file, filesize($filename));
$new = strip_tags(preg_replace($search, '', $text));
echo $new;
fclose($file);
- Strick
y5
15-Jan-2008 08:59
15-Jan-2008 08:59
An improved version of tREXX and Tony Freeman's code, this keeps the code clean while removing unwanted attributes, including the javascript: protocol. Unlike the built-in strip_tags() function, this takes an array for allowed tags, rather than a string. For example: array('<a>', '<object>');
I don't understand why the built-in function uses a string.. oh well =)
<?php
function strip_tags_attributes($sSource, $aAllowedTags = array(), $aDisabledAttributes = array('onclick', 'ondblclick', 'onkeydown', 'onkeypress', 'onkeyup', 'onload', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onunload'))
{
if (empty($aDisabledEvents)) return strip_tags($sSource, implode('', $aAllowedTags));
return preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")=[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($sSource, implode('', $aAllowedTags)));
}
?>
Matthieu Larcher
27-Jun-2007 08:44
27-Jun-2007 08:44
I noticed some problems with the strip_selected_tags() function below, sometimes big chunks of contents where suppressed...
Here is a modified version that should run better.
<?php
function strip_selected_tags($text, $tags = array())
{
$args = func_get_args();
$text = array_shift($args);
$tags = func_num_args() > 2 ? array_diff($args,array($text)) : (array)$tags;
foreach ($tags as $tag){
while(preg_match('/<'.$tag.'(|\W[^>]*)>(.*)<\/'. $tag .'>/iusU', $text, $found)){
$text = str_replace($found[0],$found[2],$text);
}
}
return preg_replace('/(<('.join('|',$tags).')(|\W.*)\/>)/iusU', '', $text);
}
?>
birwin at suddensales dot com
23-Jun-2007 12:18
23-Jun-2007 12:18
This is an upgrade to the illegal characters script by robt. This script will handle the input, even if the one or all of the fileds include arrays. Of course another loop could be added to handle compound arrays within arrays, but if you are savvy enough to be using compound arrays, you don't need me to rewrite the program.
<?
function screenForm($ary_check_for_html)
{
// check array - reject if any content contains HTML.
foreach($ary_check_for_html as $field_value)
{
if(is_array($field_value))
{
foreach($field_value as $field_array) // if the field value is an array, step through it
{
$stripped = strip_tags($field_array);
if($field_array!=$stripped)
{
// something in the field value was HTML
return false;
}
}
}else{
$stripped = strip_tags($field_value);
if($field_value!=$stripped)
{
// something in the field value was HTML
return false;
}
}
}
return true;
}
?>
geersc at hotmail dot com
12-May-2007 03:13
12-May-2007 03:13
Hi,
I made the following adjustments to the "stripeentag()" function listed here.
Improvements are always welcome.
Regards,
Chris
<?php
function strip_attributes($msg, $tag, $attr, $suffix = "")
{
$lengthfirst = 0;
while (strstr(substr($msg, $lengthfirst), "<$tag ") != "")
{
$tag_start = $lengthfirst + strpos(substr($msg, $lengthfirst), "<$tag ");
$partafterwith = substr($msg, $tag_start);
$img = substr($partafterwith, 0, strpos($partafterwith, ">") + 1);
$img = str_replace(" =", "=", $img);
$out = "<$tag";
for($i=0; $i < count($attr); $i++)
{
if (empty($attr[$i])) {
continue;
}
$long_val =
(strpos($img, " ", strpos($img, $attr[$i] . "=")) === FALSE) ?
strpos($img, ">", strpos($img, $attr[$i] . "=")) - (strpos($img, $attr[$i] . "=") + strlen($attr[$i]) + 1) :
strpos($img, " ", strpos($img, $attr[$i] . "=")) - (strpos($img, $attr[$i] . "=") + strlen($attr[$i]) + 1);
$val = substr($img, strpos($img, $attr[$i] . "=" ) + strlen($attr[$i]) + 1, $long_val);
if (!empty($val)) {
$out .= " " . $attr[$i] . "=" . $val;
}
}
if (!empty($suffix)) {
$out .= " " . $suffix;
}
$out .= ">";
$partafter = substr($partafterwith, strpos($partafterwith,">") + 1);
$msg = substr($msg, 0, $tag_start). $out. $partafter;
$lengthfirst = $tag_start + 3;
}
return $msg;
}
?>
lucky760 at yahoo dot com
22-Feb-2007 08:52
22-Feb-2007 08:52
I needed a way to allow user comments to contain only hyperlinks as the only allowed HTML tags. This is easy enough to accomplish, but I also needed a way to convert full URLs into hyperlinks, and this complicated things a bit.
The functions below are not very elegant, but do the job. Function strip_tags_except() works similarly to the strip_selected_tags() function defined a few times on this page, but instead of allowing the user to specify the tags to strip, she can specify the tags to allow and strip all others. The third parameter, $strip, when TRUE removes "<" and ">" from the string and when FALSE converts them to "<" and ">" respectively.
Function url_to_link() simply converts full URLs into an equivalent hyperlink taking into consideration that users may end a URL with a character that's not actually part of the address.
When using both, url_to_link() should be called before strip_tags_except(). Here's an example as we are using it on http://www.VideoSift.com:
<?php
$summary = url_to_link($summary);
$summary = strip_tags_except($summary, array('a'), FALSE);
?>
Here are the function definitions:
<?php
function strip_tags_except($text, $allowed_tags, $strip=TRUE) {
if (!is_array($allowed_tags))
return $text;
if (!count($allowed_tags))
return $text;
$open = $strip ? '' : '<';
$close = $strip ? '' : '>';
preg_match_all('!<\s*(/)?\s*([a-zA-Z]+)[^>]*>!',
$text, $all_tags);
array_shift($all_tags);
$slashes = $all_tags[0];
$all_tags = $all_tags[1];
foreach ($all_tags as $i => $tag) {
if (in_array($tag, $allowed_tags))
continue;
$text =
preg_replace('!<(\s*' . $slashes[$i] . '\s*' .
$tag . '[^>]*)>!', $open . '$1' . $close,
$text);
}
return $text;
}
function url_to_link($text) {
$text =
preg_replace('!(^|([^\'"]\s*))' .
'([hf][tps]{2,4}:\/\/[^\s<>"\'()]{4,})!mi',
'$2<a href="$3">$3</a>', $text);
$text =
preg_replace('!<a href="([^"]+)[\.:,\]]">!',
'<a href="$1">', $text);
$text = preg_replace('!([\.:,\]])</a>!', '</a>$1',
$text);
return $text;
}
?>
rodt
16-Jan-2007 07:46
16-Jan-2007 07:46
I have used this function successfully to prevent bots inserting HTML to web forms. Put the fields' contents into an array, then feed array to this function as an argument. Returns false if HTML is included; true if there is no HTML in any of the array's values. Hope it's helpful to someone.
/*
Checks that there is no HTML in any of provided fields.
$ary_no_html_allowed = Array to check for HTML content.
*/
function screenForm($ary_check_for_html){
// check array - reject if any content contains HTML.
foreach($ary_check_for_html as $field_value) {
$stripped = strip_tags($field_value);
if($field_value!=$stripped) { // something in the field value was HTML
return false;
}
}
return true;
}
}
uersoy at tnn dot net
26-Dec-2006 05:18
26-Dec-2006 05:18
admin at automapit dot com's function is great. Cleans everything I don't need :). But there is a small problem; strip style tags line should be before strip html tags line. Otherwise, strip html tags section cleans the <style></style> and between them is stays there as text.
<?php
function html2txt($document){
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}
?>
bermi ferrer
27-Nov-2006 01:40
27-Nov-2006 01:40
Here is a faster and tested version of strip_selected_tags.
Previous example had a small bug that has been fixed now.
<?php
function strip_selected_tags($text, $tags = array())
{
$args = func_get_args();
$text = array_shift($args);
$tags = func_num_args() > 2 ? array_diff($args,array($text)) : (array)$tags;
foreach ($tags as $tag){
if( preg_match_all( '/<'.$tag.'[^>]*>([^<]*)<\/'.$tag.'>/iu', $text, $found) ){
$text = str_replace($found[0],$found[1],$text);
}
}
return preg_replace( '/(<('.join('|',$tags).')(\\n|\\r|.)*\/>)/iu', '', $text);
}
?>
bermi ferrer at (google it yourself :P )
24-Nov-2006 09:08
24-Nov-2006 09:08
This is Salaverts function improved with suggestions from this page as it has been refactored forthe Akelos Framework (http://www.akelos.org) by Jose Salavert
Please note that the "u" modifier need to be lowercased. This function will also replace self-closing tags (XHTML <br /> <hr />) and will work if the text contains line breaks.
<?php
function strip_selected_tags($text, $tags = array())
{
$args = func_get_args();
$text = array_shift($args);
$tags = func_num_args() > 2 ? array_diff($args,array($text)) : (array)$tags;
foreach ($tags as $tag){
if(preg_match_all('/<'.$tag.'[^>]*>((\\n|\\r|.)*)<\/'. $tag .'>/iu', $text, $found)){
$text = str_replace($found[0],$found[1],$text);
}
}
return preg_replace('/(<('.join('|',$tags).')(\\n|\\r|.)*\/>)/iu', '', $text);
}
?>
David
05-Nov-2006 11:29
05-Nov-2006 11:29
<?php
/**
* strip_selected_tags ( string str [, string strip_tags[, strip_content flag]] )
* ---------------------------------------------------------------------
* Like strip_tags() but inverse; the strip_tags tags will be stripped, not kept.
* strip_tags: string with tags to strip, ex: "<a><p><quote>" etc.
* strip_content flag: TRUE will also strip everything between open and closed tag
*/
public function strip_selected_tags($str, $tags = "", $stripContent = false)
{
preg_match_all("/<([^>]+)>/i",$tags,$allTags,PREG_PATTERN_ORDER);
foreach ($allTags[1] as $tag){
if ($stripContent) {
$str = preg_replace("/<".$tag."[^>]*>.*<\/".$tag.">/iU","",$str);
}
$str = preg_replace("/<\/?".$tag."[^>]*>/iU","",$str);
}
return $str;
}
?>
anonymous
01-Nov-2006 04:52
01-Nov-2006 04:52
A different approach to cleaning up HTML would be to first escape all unsafe characters:
& to &
< to <
> to >
then to unescape matching pairs of tags back (e.g. "<b>hello</b>" => "<b>hello</b>"), if it is identified safe.
This backwards-approach should be safer because if a tag is not identified correctly, it is, at the end, in an escaped state.
So if a user enters invalid html, or tags that are unsupported or unwanted, they are shown in plain text, and not stripped away. This is good, because the characters "<" and ">" might have been used in a different way (e.g. to make a text arrow: "a <=> b").
This is the case in most forums (apart from the fact that they use "[tag]"-tags instead of "<tag>"-tags)