Codeigniter remove ALL html tags

Question

How do you remove ALL HTML tags with codeigniter? im guessing you would have to use the PHP function strip_tags, but I wanted something like the global setting for XSS filtering

Thanks

Answer 1

This is what I use when I want to eliminate XSS, HTML and still preserve the user post content (even malicious code attempts)

private function stripHTMLtags($str)
{
    $t = preg_replace('/<[^<|>]+?>/', '', htmlspecialchars_decode($str));
    $t = htmlentities($t, ENT_QUOTES, "UTF-8");
    return $t;
}

The first regex remove everything that has a html format and the htmlentities takes care of quotes and stuff. Use it on your controller everytime you need to REALLY clean things up. Fast and simple.

Eg., this very malicious str with lots of codes tags and stuff

Just another post (http://codeigniter.com) blablabla text blabla:</p>1 from users; update users set password = 'password'; select * <div class="codeblock">[aça]<code><span style="color: rgb(221, 0, 0);">'username'</span><span style="color: rgb(0, 119, 0);">);&nbsp;</span><span style="color: rgb(255, 128, 0);">//&nbsp;filtered<br></span><span style="color: rgb(0, 0, 187);">- HELLO I'm a text with "-dashes_" and stuff '!!!?!?!?!$password&nbsp;</span></span>

<ok.>

Becomes

Just another post (http://codeigniter.com) blablabla text blabla:1 from users; update users set password = 'password'; select * [aça]'username');&nbsp;//&nbsp;filtered- HELLO I'm a text with "-dashes_" and stuff '!!!?!?!?!$password&nbsp; <ok.>

It still have the code, but that won't do anything on your db. Use it like

$this->stripHTMLtags($this->input->post('html_text'));

You can put this function inside a library so you don't have to hack CI :)

Answer 2

If you're referring to using the input methods, Yes, you could technically open up system/libraries/Input.php, head down to this code:

/**
* Clean Input Data
*
* This is a helper function. It escapes data and
* standardizes newline characters to \n
*
* @access   private
* @param    string
* @return   string
*/
function _clean_input_data($str)
{
    if (is_array($str))
    {
        $new_array = array();
        foreach ($str as $key => $val)
        {
            $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
        }
        return $new_array;
    }

    // We strip slashes if magic quotes is on to keep things consistent
    if (get_magic_quotes_gpc())
    {
        $str = stripslashes($str);
    }

    // Should we filter the input data?
    if ($this->use_xss_clean === TRUE)
    {
        $str = $this->xss_clean($str);
    }

    // Standardize newlines
    if (strpos($str, "\r") !== FALSE)
    {
        $str = str_replace(array("\r\n", "\r"), "\n", $str);
    }

    return $str;
}

And right after the xss clean, you could put your own filtering function like so:

// Should we filter the input data?
if ($this->use_xss_clean === TRUE)
{
    $str = $this->xss_clean($str);
}

$str = strip_tags($str);

However this means that everytime you update CodeIgniter, you will have to make this change again. Also since this does all of this globally, it won't make sense if the value you're getting back is, say for example, numeric. Because of these reasons

Now for an alternative solution, you can use the CodeIgniter Form Validation library, which let's you set custom rules for fields, including php functions that can accept one argument, such as strip_tags:

$this->form_validation->set_rules('usertext', 'User Text', 'required|strip_tags');

I'm not sure what the circumstances are, so I'll let you decide which path to take, but in general I recommend handling data validation on a per case basis, since in a majority of cases the validation on the data is unique.