I want to allow the use of tags: <b>, <i>, <kbd> и т.д. .

That's why in the code I use the strip_tags() function, but it removes html, php tags . In turn, htmlspecialchars() simply replaces with the appropriate characters, which means that if I later use them htmlspecialchars_decode ( htmlspecialchars_decode ), all the tags will NOT be escaped , which threatens security.

How to allow only certain tags to be displayed, or can still use strip_tags , but with a chance of inconvenience for the user (although the user who wants to use them far away is not the user :)) ?

  • allowable_tags must be specified - Dantessss
  • one
    About strip_tags (): Внимание Эта функция не изменяет атрибуты тегов, разрешенных с помощью allowable_tags, включая такие атрибуты как style и onmouseover, которые могут быть использованы озорными пользователями при посылке текста, отображаемого также и другим пользователям. - Visman
  • You can look this way -> htmlpurifier.org - Visman
  • @Visman, I did not clarify that I do not need to delete the tag itself, let it be. strip_tags() deletes the tags, and I don’t need to delete them. Need to leave selected. - user269127
  • From ancient times in php for this purpose use jevix - andreymal

3 answers 3

As an option - to make a white list on certain tags, and remove those that are not in this list.

Suppose we are allowed tags <b> and <i> . We start some collection in which we place these 2 tags. Next, create a regular expression that identifies the tag. After that, we consistently search the input string for any tags by this regular expression and, if the tag is not in our collection, replace it with an empty string.

  • Can you tell a more detailed algorithm? - user269127
  • Post comment back. - 0xdb
  • Here you need to be very careful with the implementation of this idea. For example, you can write such a stupid regular record, which from the text <sc<foo>cipt> out the forbidden <foo> and as a result you get <script> . It will be necessary either to make the regular schedule smarter, or to run several iterations, or to change something else. Although in any case it's probably better to just take jevix) - andreymal
  • And depending on the regularity, HTML attributes may not be skipped or skipped. If they are skipped, then this is the way to XSS. - andreymal
  • one
    And still, you still need to provide protection so that the simple text <!-- will not break the whole site. @Cricket, if you think about security, consider this :) - andreymal

A large number of implementation options. Look in the direction of BBCode

Those. the user writes the text, and wants to be bold [b] bold [\ b].

You can safely save BBCode to SqlDataBase, etc.

But before displaying the message, you simply change [b] to <b>, [\ b] to <\ b>.

But something there to try to resolve, I really do not advise. What is forbidden or dangerous, let it be so.

    I would after htmlspecialchars() replay some valid tags, i.e. &lt;(.*)&gt; -> <b>$1</b> .

    You can regular, or built-in parser - http://php.net/manual/ru/book.bbcode.php