reference/strings/functions/strip-tags.xml
8cdc6621f9826d04abc3e50438c010804d7e8683
...
...
@@ -1,6 +1,6 @@
1
-
<?xml version="1.0" encoding="iso-8859-1"?>
1
+
<?xml version="1.0" encoding="utf-8"?>
2
2
<!-- $Revision$ -->
3
-
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.strip-tags">
3
+
<refentry xml:id="function.strip-tags" xmlns="http://docbook.org/ns/docbook">
4
4
<refnamediv>
5
5
<refname>strip_tags</refname>
6
6
<refpurpose>Strip HTML and PHP tags from a string</refpurpose>
...
...
@@ -10,12 +10,12 @@
10
10
&reftitle.description;
11
11
<methodsynopsis>
12
12
<type>string</type><methodname>strip_tags</methodname>
13
-
<methodparam><type>string</type><parameter>str</parameter></methodparam>
14
-
<methodparam choice="opt"><type>string</type><parameter>allowable_tags</parameter></methodparam>
13
+
<methodparam><type>string</type><parameter>string</parameter></methodparam>
14
+
<methodparam choice="opt"><type class="union"><type>array</type><type>string</type><type>null</type></type><parameter>allowed_tags</parameter><initializer>&null;</initializer></methodparam>
15
15
</methodsynopsis>
16
16
<para>
17
-
This function tries to return a string with all HTML and PHP tags stripped
18
-
from a given <parameter>str</parameter>. It uses the same tag stripping
17
+
This function tries to return a string with all NULL bytes, HTML and PHP tags stripped
18
+
from a given <parameter>string</parameter>. It uses the same tag stripping
19
19
state machine as the <function>fgetss</function> function.
20
20
</para>
21
21
</refsect1>
...
...
@@ -25,7 +25,7 @@
25
25
<para>
26
26
<variablelist>
27
27
<varlistentry>
28
-
<term><parameter>str</parameter></term>
28
+
<term><parameter>string</parameter></term>
29
29
<listitem>
30
30
<para>
31
31
The input string.
...
...
@@ -33,18 +33,37 @@
33
33
</listitem>
34
34
</varlistentry>
35
35
<varlistentry>
36
-
<term><parameter>allowable_tags</parameter></term>
36
+
<term><parameter>allowed_tags</parameter></term>
37
37
<listitem>
38
38
<para>
39
39
You can use the optional second parameter to specify tags which should
40
40
not be stripped.
41
+
These are either given as &string;, or as of PHP 7.4.0, as &array;.
42
+
Refer to the example below regarding the format of this parameter.
41
43
</para>
42
44
<note>
43
45
<para>
44
46
HTML comments and PHP tags are also stripped. This is hardcoded and
45
-
can not be changed with <parameter>allowable_tags</parameter>.
47
+
can not be changed with <parameter>allowed_tags</parameter>.
46
48
</para>
47
49
</note>
50
+
<note>
51
+
<para>
52
+
Self-closing XHTML tags are ignored and only non-self-closing tags should be used in
53
+
<parameter>allowed_tags</parameter>. For example,
54
+
to allow both <literal>&lt;br&gt;</literal> and
55
+
<literal>&lt;br/&gt;</literal>, you should use:
56
+
</para>
57
+
<informalexample>
58
+
<programlisting role="php">
59
+
<![CDATA[
60
+
<?php
61
+
strip_tags($input, '<br>');
62
+
?>
63
+
]]>
64
+
</programlisting>
65
+
</informalexample>
66
+
</note>
48
67
</listitem>
49
68
</varlistentry>
50
69
</variablelist>
...
...
@@ -70,22 +89,16 @@
70
89
</row>
71
90
</thead>
72
91
<tbody>
92
+
<row>
93
+
<entry>8.0.0</entry>
94
+
<entry>
95
+
<parameter>allowed_tags</parameter> is nullable now.
96
+
</entry>
97
+
</row>
73
98
<row>
74
-
<entry>5.0.0</entry>
75
-
<entry>
76
-
<function>strip_tags</function> is now binary safe
77
-
</entry>
78
-
</row>
79
-
<row>
80
-
<entry>4.3.0</entry>
99
+
<entry>7.4.0</entry>
81
100
<entry>
82
-
HTML comments are now always stripped
83
-
</entry>
84
-
</row>
85
-
<row>
86
-
<entry>4.0.0</entry>
87
-
<entry>
88
-
The <parameter>allowable_tags</parameter> parameter was added
101
+
The <parameter>allowed_tags</parameter> now alternatively accepts an &array;.
89
102
</entry>
90
103
</row>
91
104
</tbody>
...
...
@@ -108,6 +121,9 @@ echo "\n";
108
121

109
122
// Allow <p> and <a>
110
123
echo strip_tags($text, '<p><a>');
124
+

125
+
// as of PHP 7.4.0 the line above can be written as:
126
+
// echo strip_tags($text, ['p', 'a']);
111
127
?>
112
128
]]>
113
129
</programlisting>
...
...
@@ -126,20 +142,34 @@ Test paragraph. Other text
126
142
&reftitle.notes;
127
143
<warning>
128
144
<para>
145
+
This function should not be used to try to prevent XSS attacks.
146
+
Use more appropriate functions like <function>htmlspecialchars</function>
147
+
or other means depending on the context of the output.
148
+
</para>
149
+
</warning>
150
+
<warning>
151
+
<para>
129
152
Because <function>strip_tags</function> does not actually validate the
130
-
HTML, partial, or broken tags can result in the removal of more
153
+
HTML, partial or broken tags can result in the removal of more
131
154
text/data than expected.
132
155
</para>
133
156
</warning>
134
157
<warning>
135
158
<para>
136
159
This function does not modify any attributes on the tags that you allow
137
-
using <parameter>allowable_tags</parameter>, including the
160
+
using <parameter>allowed_tags</parameter>, including the
138
161
<literal>style</literal> and <literal>onmouseover</literal> attributes
139
162
that a mischievous user may abuse when posting text that will be shown
140
163
to other users.
141
164
</para>
142
165
</warning>
166
+
<note>
167
+
<para>
168
+
Tag names within the input HTML that are greater than 1023 bytes in length
169
+
will be treated as though they are invalid, regardless of the
170
+
<parameter>allowed_tags</parameter> parameter.
171
+
</para>
172
+
</note>
143
173
</refsect1>
144
174

145
175
<refsect1 role="seealso">
...
...
@@ -152,7 +182,6 @@ Test paragraph. Other text
152
182
</refsect1>
153
183

154
184
</refentry>
155
-

156
185
<!-- Keep this comment at the end of the file
157
186
Local variables:
158
187
mode: sgml
159
188