0

I need to use javascript to remove all html tags, except for those I explicitly allow. I have a form that only allows the following tags and their respective end tags:

<b> <strong> <i> <em> <u> <br> <pre>
<blockquote> <ol> <ul> <li> 
<a href="http://www.somesite.com">link</a>

All other markup should be removed. I have been searching but I have only found instances where all tags are removed or a single tag is removed. Can this be done simply? I cannot use PHP, must be javascript. Any solutions?

Thanks!

Improve this question
4
  • 3
    No. You must use PHP, or your security measure is useless. Commented May 20, 2011 at 3:21
  • 1
    If it is something for an intranet I don't think security is an issue. Just functionality. But yes, no go in javascript... Commented May 20, 2011 at 3:22
  • 2
    As a JavaScript exercise yes, I'm sure you could write some regular expressions to find tags and remove them if they're not on your list of allowed tags, but as has been pointed out for a real-world application you must do this server-side. I would seriously consider preventing/removing all angle-bracket HTML tags and instead allow BBCode/forum style square bracket tags where only the tags you define get converted to real HTML tags for later display. Commented May 20, 2011 at 3:32
  • 1
    you better to use some server side either PHP/ASP or something Commented May 20, 2011 at 3:51

3 Answers 3

Reset to default
1 
jQuery.fn.removeTags = function()
{
    this.each(function()
    {
        if(jQuery(this).children().length == 0)
        {
            jQuery(this).replaceWith(jQuery(this).text());
        }
        else
        {
            jQuery(this).children().unwrap();
        }
    });
    return this;
};

jQuery("#container").find(":not(b, strong, i, em, u, br, pre, blockquote, ul, ol, li, a)").removeTags();

Make sure the container is nothing higher than the body tag. Or you might have issues when it takes out head, html, script etc. tags.

Also if you want the :not could be a list and you could:

var mylist = ["b" ,"strong", ... etc. etc.];
jQuery(":not(" + mylist.join(", ") + ")").removeTags();

Or even put this in the removeTags function. (the possibilities are endless ... )

EDIT: as some have noted in the comments: Javascript can be turned off. The other thing is I assumed you wanted to keep all the inner information. If not then just a remove() will suffice as megakorre suggests.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Although this works, I have decided to use a BB code type of styling and convert them.
1

so sipping all form of security witch im gessing is why you are doing it in the first place

you can put the content in a div and call

$('#container :not(b, strong, em, u, br, pre, blockquote, ol, ul, li, a)').remove();
var res = $("#container").html();
Improve this answer

Comments

0

As pointed out in the comments, this can't be done securely. It will be very easy to to circumvent the javascript filter. This must be implemented server side.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.