I don't see why people use strip_tags at all. I would hate posting to a forum that will strip tags, esp. if I want to show an example of something.
Just use htmlentities() and the data will be shown exactly as the user typed it, but none of the HTML or code within it will be evaluated. So if the type <script>, then instead of removing it, you just show it, but with the < and > replaces with HTML entities. ---John Holmes... > -----Original Message----- > From: Stuart Dallas [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 5:31 PM > To: Philip Hallstrom > Cc: Mikhail Avrekh; [EMAIL PROTECTED] > Subject: Re[2]: [PHP] Re: strip_tags bug ? > > On Friday, June 7, 2002 at 10:23:08 PM, you wrote: > > > Hmm... you could always do something like: > > > $t = ereg_replace(" < ", " < ", $t); > > $t = ereg_replace(" > ", " > ", $t); > > > $nt = strip_tags($t); > > > $nt = ereg_replace(" < ", " < ", $nt); > > $nt = ereg_replace(" > ", " > ", $nt); > > > maybe? > > That depends on what you're attempting to do. It would leave the following > SCRIPT section intact... > > < SCRIPT language="javascript" > > // do something nasty here > < /SCRIPT> > > I don't know what others use strip_tags for, but I've only ever used it to > remove script/html tags from forum posts. Using your code would create a > massive > security hole. > > -- > Stuart > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
