Adam Ramadhan
Reputation: 22810
safe html filtering with php?
function validCleanHtml( $unclosedString )
{
preg_match_all( "/<([^\/]\w*)>/", $closedString = $unclosedString, $tags );
for ( $i = count( $tags[1] ) - 1; $i >= 0; $i-- )
{
$tag = $tags[1][$i];
if ( substr_count( $closedString, "</$tag>" ) < substr_count( $closedString, "<$tag>" ) )
$closedString .= "</$tag>";
}
$validTags = "<em><strong>";
$validClosedString = strip_tags( $closedString, $validTags );
return $validClosedString;
}
ok what i want is to enable 2 html, em and strong, is this just secure from xss ? if not how can we secure it ?
Upvotes: 0
Views: 4802
Answers (2)
jasonbar
Reputation: 13461
Have you looked at any existing solutions like htmlpurifier? You really don't want to write your own HTML parser - and certainly not with regular expressions.
Upvotes: 12
Mitch Dempsey
Reputation: 39889
I think that strip_tags holds the answer.
https://www.php.net/strip_tags
Rather than enabling certain fields, you could also remove the ones you don't want. Namely: link, style, script, iframe, frame
Upvotes: 4
Related Questions
- Alternative of html purifier
- HTML filter that is HTML5 compliant
- PHP HTML Filter Feature
- URL filtering in php, filter_var or htmlentities
- Are there any good PHP based HTML filters available?
- Filter HTML on php
- HTML Purifier Filter Elements
- PHP HTML sanitizer
- HTML purifying in php
- How can I allow HTML in a whitelist with PHP