Removing Tags

**Ntrimgs** · 07-26-2012 03:07 PM

I'm trying to only allow certain tags for text that is input through a text editor. I've got the following code that all text is filtered through first:

PHP Code:


$_content = strip_tags($_content, '<p></p><a></a><ul></ul><li></li><h1></h1>');

My understanding is that this will allow the tags above and strip the rest out, but I noticed and tags are making it through.

Is there another function to use to strip out the or tags or am I misusing the strip_tags function?

**NogDog** · 07-26-2012 03:29 PM

You don't need to include the closing tags in the allowed tag list. Maybe that's what's confusing things? See if it makes any difference with ''<a><ul><li><h1>'.

On a side note, be aware that it won't by itself prevent something like the following if you allow the tag, for instance:

Code:

<p onmouseover='window.location("http://www.example.com/annoying_page");'>

**Ntrimgs** · 07-26-2012 03:36 PM

Originally Posted by NogDog

You don't need to include the closing tags in the allowed tag list. Maybe that's what's confusing things? See if it makes any difference with ''<a><ul><li><h1>'.

On a side note, be aware that it won't by itself prevent something like the following if you allow the tag, for instance:

Code:

<p onmouseover='window.location("http://www.example.com/annoying_page");'>

I tried it without the closing tags and it still allowed a and tag through.

**NogDog** · 07-26-2012 05:45 PM

Have you considered using BBCode, or a WYSIWYG textarea plugin like TinyMCE? It can give you better overall control without you having to reinvent the wheel, so to speak.

**Ntrimgs** · 07-26-2012 05:48 PM

Originally Posted by NogDog

Have you considered using BBCode, or a WYSIWYG textarea plugin like TinyMCE? It can give you better overall control without you having to reinvent the wheel, so to speak.

I'm using CKEditor and I don't want the customer to change the fonts because then it screws up the default font-size and makes the site look like crap. I just don't understand why strip_tags doesn't remove those tags. Maybe they're exempt

**NogDog** · 07-26-2012 08:41 PM

Have you tried dumping the actual variable being processed right before the call to strip_tags? Is it possible that CKEditor is doing something funky with the mark-up?

In any case, this little test worked fine for me:

PHP Code:


<?php

$text = <<<EOD

<p>This is a <span style='font-family:courier'>test</span></p>

EOD;



echo "<pre>". htmlspecialchars($text)."</pre>\n";

echo $text;



$filtered = strip_tags($text, '<p><a>');

echo "<pre>". htmlspecialchars($filtered)."</pre>\n";

echo $filtered;

Thread: Removing Tags

Thread Tools

Display

Removing Tags

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions