Actually, we allow our users to use HTML tags -- a pretty large set of tags is allowed in the second argument to strip_tags(). We just want to strip out <javascript> and other stuff which has been known to cause problems.
This is why I was wondering if anyone has a good regexp which can allow one to provide a set of allowed tags, instead of stripping any and all HTML and other tags. M. On Fri, 7 Jun 2002, John Holmes wrote: > I don't see why people use strip_tags at all. I would hate posting to a > forum that will strip tags, esp. if I want to show an example of > something. > > Just use htmlentities() and the data will be shown exactly as the user > typed it, but none of the HTML or code within it will be evaluated. So > if the type <script>, then instead of removing it, you just show it, but > with the < and > replaces with HTML entities. > > ---John Holmes... > > > -----Original Message----- > > From: Stuart Dallas [mailto:[EMAIL PROTECTED]] > > Sent: Friday, June 07, 2002 5:31 PM > > To: Philip Hallstrom > > Cc: Mikhail Avrekh; [EMAIL PROTECTED] > > Subject: Re[2]: [PHP] Re: strip_tags bug ? > > > > On Friday, June 7, 2002 at 10:23:08 PM, you wrote: > > > > > Hmm... you could always do something like: > > > > > $t = ereg_replace(" < ", " < ", $t); > > > $t = ereg_replace(" > ", " > ", $t); > > > > > $nt = strip_tags($t); > > > > > $nt = ereg_replace(" < ", " < ", $nt); > > > $nt = ereg_replace(" > ", " > ", $nt); > > > > > maybe? > > > > That depends on what you're attempting to do. It would leave the > following > > SCRIPT section intact... > > > > < SCRIPT language="javascript" > > > // do something nasty here > > < /SCRIPT> > > > > I don't know what others use strip_tags for, but I've only ever used > it to > > remove script/html tags from forum posts. Using your code would create > a > > massive > > security hole. > > > > -- > > Stuart > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
