Reputation: 373
PHP remove html and php code from user input
I'm trying to remove any code that a user may have entered in the textarea. I've tried many things, nothing seems to work. Heres the code:
function strip_tags_content($text, $tags = '', $invert = FALSE) {
preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags);
$tags = array_unique($tags[1]);
if(is_array($tags) AND count($tags) > 0) {
if($invert == FALSE) {
return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text);
}
else {
return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text);
}
}
elseif($invert == FALSE) {
return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
}
return $text;
}
$message = $_POST['message'];
$message = nl2br($message);
$message = strip_tags($message);
$message = strip_tags_content($message);
$message = htmlentities($message);
Even with all of this, I can still put html tags and have them printed out and run as html. How do I remove all tags?
Upvotes: 1
Views: 4114
Answers (4)
Reputation: 184
You can use the HTMLPurifier class. It is really simple to use.
Read the documentation!! Here is an example
function Sanitize_Inputs($inputs){
require_once('.../HTMLPurifier/htmlpurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$purifier = New HTMLPurifier($config);
foreach ($inputs as $input_name => $valor){
$inputs[$input_name] = $purifier->purify($valor);
}
$purifier=null;
$config=null;
return $inputs;
}
$sanitized=Sanitize_Inputs($_POST);
var_dump($sanitized);
exit;
Upvotes: 0
Reputation: 75629
I'm trying to remove any code that a user may have entered in the textarea. I've tried many things, nothing seems to work
But why you want to do that? It's not really the problem on input. If user entered i.e. <script ....> or <h1>foo</h1> it makes no harm. It's usually a problem on output (display) so I'd rather just call htmlspecialchars() on data prior display to "neutralize" HTML tags
Upvotes: 0
Reputation: 1
You can use the strip_tags function, it strips all HTML and PHP tags by default but you can allow some HTML tags (by example a, b, or span, useful in comments).
$message = strip_tags($_POST['message']);
$message = nl2br($message);
or
$message = nl2br($_POST['message']);
$message = strip_tags($message, '<br><br/>');
Upvotes: 0
Reputation: 4301
Try using the filter_input function.
Example:
$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING);
or
$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
Upvotes: 0
Related Questions
- Remove javascript from user input but still allow html with PHP?
- How to remove unwanted HTML tags from user input but keep text inside the tags in PHP using DOMDocument
- Remove certain tags from html input with PHP
- how to stop user putting HTML code in text inputs
- Removing html, javascript etc from POST
- Remove HTML codes from string in PHP
- html form removing PHP tags
- Don't allow user to enter HTML tags in input
- How to strip the following html tags from user input in PHP?
- PHP removing HTML from POST data