php strip_tags not removing div (and others)

Question

I'm trying to validate a comment form using AJAX/PHP, very nearly done now except the strip_tags function in php doesn't seem to remove all elements. Here's what I have:

$msg = $_POST['message'];
$msg = strip_tags( $msg );

This function only seems to be removing the closing tags. E.g. <div> entered into the message box is not being removed where </div> is being removed. I want to literally remove every html element in the message. How do I achieve this?

Thanks, Dan.

Edit:

I feel like a complete idiot!

I have a validate function separate from my show comment function and just realised my mistake. I was never running strip_tags on the message I was displaying!

Anyway, thanks for trying to help!

Answer 1

one thing that strip_tags() can fail with is htmlentities().

it will make <div> appear as %3Cdiv%3E for example.

Try this. htmlentities will convert code eg. %3C to HTML, eg. <

$msg = strip_tags(htmlentities($msg));

you should be able to see what you're trying to debug by comparing these:

echo $msg . '<br/>';
echo strip_tags($msg) . '<br/>';
echo htmlentities($msg) . '<br/>';
echo strip_tags(htmlentities($msg)) . '<br/>';

Answer 2

strip_tags() sees a tag as a case-insensitive string between < and the first whitespace or >

Thus strip_tags('< / div >') or strip_tags('< div >') would give no change if you have any whitespace in there.

You may wish to post an example of the string you're trying to clean.

You should also try echoing $msg directly and viewing the emitted source. Since you're POSTing the data (depending on how you're sending the data from the client) you may find you're actually trying to strip %3Cdiv%3E%3C%2Fdiv%3E (which is valid) instead of the <div></div> you'd expect.