reference/strings/functions/strip-tags.xml
8cdc6621f9826d04abc3e50438c010804d7e8683
...
...
@@ -1,6 +1,6 @@
1
1
<?xml version="1.0" encoding="utf-8"?>
2
2
<!-- $Revision$ -->
3
-
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.strip-tags">
3
+
<refentry xml:id="function.strip-tags" xmlns="http://docbook.org/ns/docbook">
4
4
<refnamediv>
5
5
<refname>strip_tags</refname>
6
6
<refpurpose>Strip HTML and PHP tags from a string</refpurpose>
...
...
@@ -10,12 +10,12 @@
10
10
&reftitle.description;
11
11
<methodsynopsis>
12
12
<type>string</type><methodname>strip_tags</methodname>
13
-
<methodparam><type>string</type><parameter>str</parameter></methodparam>
14
-
<methodparam choice="opt"><type>string</type><parameter>allowable_tags</parameter></methodparam>
13
+
<methodparam><type>string</type><parameter>string</parameter></methodparam>
14
+
<methodparam choice="opt"><type class="union"><type>array</type><type>string</type><type>null</type></type><parameter>allowed_tags</parameter><initializer>&null;</initializer></methodparam>
15
15
</methodsynopsis>
16
16
<para>
17
17
This function tries to return a string with all NULL bytes, HTML and PHP tags stripped
18
-
from a given <parameter>str</parameter>. It uses the same tag stripping
18
+
from a given <parameter>string</parameter>. It uses the same tag stripping
19
19
state machine as the <function>fgetss</function> function.
20
20
</para>
21
21
</refsect1>
...
...
@@ -25,7 +25,7 @@
25
25
<para>
26
26
<variablelist>
27
27
<varlistentry>
28
-
<term><parameter>str</parameter></term>
28
+
<term><parameter>string</parameter></term>
29
29
<listitem>
30
30
<para>
31
31
The input string.
...
...
@@ -33,23 +33,24 @@
33
33
</listitem>
34
34
</varlistentry>
35
35
<varlistentry>
36
-
<term><parameter>allowable_tags</parameter></term>
36
+
<term><parameter>allowed_tags</parameter></term>
37
37
<listitem>
38
38
<para>
39
39
You can use the optional second parameter to specify tags which should
40
40
not be stripped.
41
+
These are either given as &string;, or as of PHP 7.4.0, as &array;.
42
+
Refer to the example below regarding the format of this parameter.
41
43
</para>
42
44
<note>
43
45
<para>
44
46
HTML comments and PHP tags are also stripped. This is hardcoded and
45
-
can not be changed with <parameter>allowable_tags</parameter>.
47
+
can not be changed with <parameter>allowed_tags</parameter>.
46
48
</para>
47
49
</note>
48
50
<note>
49
51
<para>
50
-
In PHP 5.3.4 and later, self-closing
51
-
XHTML tags are ignored and only non-self-closing tags should be used in
52
-
<parameter>allowable_tags</parameter>. For example,
52
+
Self-closing XHTML tags are ignored and only non-self-closing tags should be used in
53
+
<parameter>allowed_tags</parameter>. For example,
53
54
to allow both <literal>&lt;br&gt;</literal> and
54
55
<literal>&lt;br/&gt;</literal>, you should use:
55
56
</para>
...
...
@@ -88,18 +89,16 @@ strip_tags($input, '<br>');
88
89
</row>
89
90
</thead>
90
91
<tbody>
92
+
<row>
93
+
<entry>8.0.0</entry>
94
+
<entry>
95
+
<parameter>allowed_tags</parameter> is nullable now.
96
+
</entry>
97
+
</row>
91
98
<row>
92
-
<entry>5.3.4</entry>
99
+
<entry>7.4.0</entry>
93
100
<entry>
94
-
<function>strip_tags</function> ignores self-closing XHTML
95
-
tags in
96
-
<parameter>allowable_tags</parameter>.
97
-
</entry>
98
-
</row>
99
-
<row>
100
-
<entry>5.0.0</entry>
101
-
<entry>
102
-
<function>strip_tags</function> is now binary safe.
101
+
The <parameter>allowed_tags</parameter> now alternatively accepts an &array;.
103
102
</entry>
104
103
</row>
105
104
</tbody>
...
...
@@ -122,6 +121,9 @@ echo "\n";
122
121

123
122
// Allow <p> and <a>
124
123
echo strip_tags($text, '<p><a>');
124
+

125
+
// as of PHP 7.4.0 the line above can be written as:
126
+
// echo strip_tags($text, ['p', 'a']);
125
127
?>
126
128
]]>
127
129
</programlisting>
...
...
@@ -140,6 +142,13 @@ Test paragraph. Other text
140
142
&reftitle.notes;
141
143
<warning>
142
144
<para>
145
+
This function should not be used to try to prevent XSS attacks.
146
+
Use more appropriate functions like <function>htmlspecialchars</function>
147
+
or other means depending on the context of the output.
148
+
</para>
149
+
</warning>
150
+
<warning>
151
+
<para>
143
152
Because <function>strip_tags</function> does not actually validate the
144
153
HTML, partial or broken tags can result in the removal of more
145
154
text/data than expected.
...
...
@@ -148,7 +157,7 @@ Test paragraph. Other text
148
157
<warning>
149
158
<para>
150
159
This function does not modify any attributes on the tags that you allow
151
-
using <parameter>allowable_tags</parameter>, including the
160
+
using <parameter>allowed_tags</parameter>, including the
152
161
<literal>style</literal> and <literal>onmouseover</literal> attributes
153
162
that a mischievous user may abuse when posting text that will be shown
154
163
to other users.
...
...
@@ -158,7 +167,7 @@ Test paragraph. Other text
158
167
<para>
159
168
Tag names within the input HTML that are greater than 1023 bytes in length
160
169
will be treated as though they are invalid, regardless of the
161
-
<parameter>allowable_tags</parameter> parameter.
170
+
<parameter>allowed_tags</parameter> parameter.
162
171
</para>
163
172
</note>
164
173
</refsect1>
...
...
@@ -173,7 +182,6 @@ Test paragraph. Other text
173
182
</refsect1>
174
183

175
184
</refentry>
176
-

177
185
<!-- Keep this comment at the end of the file
178
186
Local variables:
179
187
mode: sgml
180
188



Tools (Chinese (Simplified) Manual)