What sense of the [allowable_tags] parameter in strip_tags()?
According docs, "You can use the optional second parameter to specify tags which should not be stripped".
strip_tags alone is indeed not enough to make sure the input is safe to display inside your web page. But even if you'd remove all attributes from the tags you still have the problem that you're not checking if the input is valid html.
I once wrote a userland function which a) validated the input to ensure xml conformance and b) stripped all but certain tags/attributes combinations. Requires input to be xhtml but makes the tests much easier.
But to be honest I think most of the time it is much better to simply disallow HTML and use htmlspecialchars() on user input.
I'd leave strip_tags as it is, it's still useful in some cases where you want to strip certain information for internal processing but you don't include its output in a webpage.
- Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
