How do I get PHP strip_tags to remove HTML and Script tags but not XML?

0
votes

I was using the php strip_tags() function to remove html tags from my text area input and to remove < script > tags to help guard against scripting attacks.

Anyway, often times the user is going to need to input XML tags that are not known in advance. However, my strip_tags function is removing these benign xml tags as well, which is not acceptable.

Also, I'll sometimes put filename.< date>.png (had to add a space there because StackOverflow removed it as well lol) to indicate variable parts of a file name or path. In this case what I end up with is filename..png after strip_tags is run.

Any help would be greatly appreciated.

3
phphtmlxmlstrip-tags
since xml also uses tags, you cannot. besides, it would basically defeat the purpose of string tags, since you can still cram javascript into any unknown tag.dqhendricks

3 Answers

0
votes

strip_tags() is defined as removing all HTML/XML tags (other than the individual tags specified in the second argument). There is no distinction between the two types of tags, nor between that and <date> used as a placeholder -- all three look like tags to strip_tags(), so it removes them.

0
votes

It is not possible to make strip_tags not remove unknown tags. You may want to look at DOMDocument for a viable alternative.

0
votes
$s = preg_replace("/<\?xml(.*?)\?>/i", "<xmlDeclaration$1>", $s);
$s = strip_tags($s, '<xmlDeclaration><' . implode('><', $allowedTags) . '>');
$s = preg_replace("/<xmlDeclaration(.*?)>/i", "<?xml$1?>", $s);