Actually, we allow our users to use HTML tags -- a pretty large set of
tags is allowed in the second argument to strip_tags(). We just want to
This is why I was wondering if anyone has a good regexp which can allow
one to provide a set of allowed tags, instead of stripping any and all
HTML and other tags.
On Fri, 7 Jun 2002, John Holmes wrote:
> I don't see why people use strip_tags at all. I would hate posting to a
> forum that will strip tags, esp. if I want to show an example of
> Just use htmlentities() and the data will be shown exactly as the user
> typed it, but none of the HTML or code within it will be evaluated. So
> if the type <script>, then instead of removing it, you just show it, but
> with the < and > replaces with HTML entities.
> ---John Holmes...
> > -----Original Message-----
> > From: Stuart Dallas [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, June 07, 2002 5:31 PM
> > To: Philip Hallstrom
> > Cc: Mikhail Avrekh; [EMAIL PROTECTED]
> > Subject: Re: [PHP] Re: strip_tags bug ?
> > On Friday, June 7, 2002 at 10:23:08 PM, you wrote:
> > > Hmm... you could always do something like:
> > > $t = ereg_replace(" < ", " < ", $t);
> > > $t = ereg_replace(" > ", " > ", $t);
> > > $nt = strip_tags($t);
> > > $nt = ereg_replace(" < ", " < ", $nt);
> > > $nt = ereg_replace(" > ", " > ", $nt);
> > > maybe?
> > That depends on what you're attempting to do. It would leave the
> > SCRIPT section intact...
> > // do something nasty here
> > < /SCRIPT>
> > I don't know what others use strip_tags for, but I've only ever used
> it to
> > remove script/html tags from forum posts. Using your code would create
> > massive
> > security hole.
> > --
> > Stuart
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php