reference/strings/functions/strip-tags.xml
8cdc6621f9826d04abc3e50438c010804d7e8683
...
...
@@ -1,6 +1,6 @@
1
1
<?xml version="1.0" encoding="utf-8"?>
2
2
<!-- $Revision$ -->
3
-
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.strip-tags">
3
+
<refentry xml:id="function.strip-tags" xmlns="http://docbook.org/ns/docbook">
4
4
<refnamediv>
5
5
<refname>strip_tags</refname>
6
6
<refpurpose>Strip HTML and PHP tags from a string</refpurpose>
...
...
@@ -10,12 +10,12 @@
10
10
&reftitle.description;
11
11
<methodsynopsis>
12
12
<type>string</type><methodname>strip_tags</methodname>
13
-
<methodparam><type>string</type><parameter>str</parameter></methodparam>
14
-
<methodparam choice="opt"><type>string</type><parameter>allowable_tags</parameter></methodparam>
13
+
<methodparam><type>string</type><parameter>string</parameter></methodparam>
14
+
<methodparam choice="opt"><type class="union"><type>array</type><type>string</type><type>null</type></type><parameter>allowed_tags</parameter><initializer>&null;</initializer></methodparam>
15
15
</methodsynopsis>
16
16
<para>
17
17
This function tries to return a string with all NULL bytes, HTML and PHP tags stripped
18
-
from a given <parameter>str</parameter>. It uses the same tag stripping
18
+
from a given <parameter>string</parameter>. It uses the same tag stripping
19
19
state machine as the <function>fgetss</function> function.
20
20
</para>
21
21
</refsect1>
...
...
@@ -25,7 +25,7 @@
25
25
<para>
26
26
<variablelist>
27
27
<varlistentry>
28
-
<term><parameter>str</parameter></term>
28
+
<term><parameter>string</parameter></term>
29
29
<listitem>
30
30
<para>
31
31
The input string.
...
...
@@ -33,27 +33,36 @@
33
33
</listitem>
34
34
</varlistentry>
35
35
<varlistentry>
36
-
<term><parameter>allowable_tags</parameter></term>
36
+
<term><parameter>allowed_tags</parameter></term>
37
37
<listitem>
38
38
<para>
39
39
You can use the optional second parameter to specify tags which should
40
40
not be stripped.
41
+
These are either given as &string;, or as of PHP 7.4.0, as &array;.
42
+
Refer to the example below regarding the format of this parameter.
41
43
</para>
42
44
<note>
43
45
<para>
44
46
HTML comments and PHP tags are also stripped. This is hardcoded and
45
-
can not be changed with <parameter>allowable_tags</parameter>.
47
+
can not be changed with <parameter>allowed_tags</parameter>.
46
48
</para>
47
49
</note>
48
50
<note>
49
51
<para>
50
-
This parameter should not contain whitespace.
51
-
<function>strip_tags</function> sees a tag as a case-insensitive
52
-
string between <literal>&lt;</literal> and the first whitespace or
53
-
<literal>&gt;</literal>. It means that
54
-
<literal>strip_tags("&lt;br/&gt;", "&lt;br&gt;")</literal> returns an
55
-
empty string.
52
+
Self-closing XHTML tags are ignored and only non-self-closing tags should be used in
53
+
<parameter>allowed_tags</parameter>. For example,
54
+
to allow both <literal>&lt;br&gt;</literal> and
55
+
<literal>&lt;br/&gt;</literal>, you should use:
56
56
</para>
57
+
<informalexample>
58
+
<programlisting role="php">
59
+
<![CDATA[
60
+
<?php
61
+
strip_tags($input, '<br>');
62
+
?>
63
+
]]>
64
+
</programlisting>
65
+
</informalexample>
57
66
</note>
58
67
</listitem>
59
68
</varlistentry>
...
...
@@ -80,10 +89,16 @@
80
89
</row>
81
90
</thead>
82
91
<tbody>
92
+
<row>
93
+
<entry>8.0.0</entry>
94
+
<entry>
95
+
<parameter>allowed_tags</parameter> is nullable now.
96
+
</entry>
97
+
</row>
83
98
<row>
84
-
<entry>5.0.0</entry>
99
+
<entry>7.4.0</entry>
85
100
<entry>
86
-
<function>strip_tags</function> is now binary safe.
101
+
The <parameter>allowed_tags</parameter> now alternatively accepts an &array;.
87
102
</entry>
88
103
</row>
89
104
</tbody>
...
...
@@ -106,6 +121,9 @@ echo "\n";
106
121

107
122
// Allow <p> and <a>
108
123
echo strip_tags($text, '<p><a>');
124
+

125
+
// as of PHP 7.4.0 the line above can be written as:
126
+
// echo strip_tags($text, ['p', 'a']);
109
127
?>
110
128
]]>
111
129
</programlisting>
...
...
@@ -124,6 +142,13 @@ Test paragraph. Other text
124
142
&reftitle.notes;
125
143
<warning>
126
144
<para>
145
+
This function should not be used to try to prevent XSS attacks.
146
+
Use more appropriate functions like <function>htmlspecialchars</function>
147
+
or other means depending on the context of the output.
148
+
</para>
149
+
</warning>
150
+
<warning>
151
+
<para>
127
152
Because <function>strip_tags</function> does not actually validate the
128
153
HTML, partial or broken tags can result in the removal of more
129
154
text/data than expected.
...
...
@@ -132,7 +157,7 @@ Test paragraph. Other text
132
157
<warning>
133
158
<para>
134
159
This function does not modify any attributes on the tags that you allow
135
-
using <parameter>allowable_tags</parameter>, including the
160
+
using <parameter>allowed_tags</parameter>, including the
136
161
<literal>style</literal> and <literal>onmouseover</literal> attributes
137
162
that a mischievous user may abuse when posting text that will be shown
138
163
to other users.
...
...
@@ -142,7 +167,7 @@ Test paragraph. Other text
142
167
<para>
143
168
Tag names within the input HTML that are greater than 1023 bytes in length
144
169
will be treated as though they are invalid, regardless of the
145
-
<parameter>allowable_tags</parameter> parameter.
170
+
<parameter>allowed_tags</parameter> parameter.
146
171
</para>
147
172
</note>
148
173
</refsect1>
...
...
@@ -157,7 +182,6 @@ Test paragraph. Other text
157
182
</refsect1>
158
183

159
184
</refentry>
160
-

161
185
<!-- Keep this comment at the end of the file
162
186
Local variables:
163
187
mode: sgml
164
188