0

I'm trying to remove any code that a user may have entered in the textarea. I've tried many things, nothing seems to work. Heres the code:

  function strip_tags_content($text, $tags = '', $invert = FALSE) { 

  preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags); 
  $tags = array_unique($tags[1]); 

  if(is_array($tags) AND count($tags) > 0) { 
    if($invert == FALSE) { 
      return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text); 
    } 
    else { 
      return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text); 
    } 
  } 
  elseif($invert == FALSE) { 
    return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text); 
  } 
  return $text; 
} 
$message = $_POST['message'];
$message = nl2br($message);
$message = strip_tags($message);
$message = strip_tags_content($message);
$message = htmlentities($message);

Even with all of this, I can still put html tags and have them printed out and run as html. How do I remove all tags?

Improve this question
6
  • 7
    don't roll your own html cleaners, ESPECIALLY using regexes. you can NOT use regexes on html reliably. especially if that html is potentially bad/mis-structured. start using html purifier and get on with more important things. Commented Jul 10, 2015 at 21:44
  • 2
    html purifier still allows tags such as the bold tag and line breaks. I don't want those either Commented Jul 10, 2015 at 21:50
  • What is the input and output you currently are getting? You should run nl2br after the strip_tags. Commented Jul 10, 2015 at 22:01
  • @chris85 when the input is:' <a>dljsfkjhdsa</a><br><b><?php echo "good";;; ;::;""'"' <b>....?> hi the output is dljsfkjhdsa ....?> hi' with ....?> in bold Commented Jul 10, 2015 at 22:03
  • Not what I am getting when using that function, see demo here sandbox.onlinephpfunctions.com/code/… Commented Jul 10, 2015 at 22:04

4 Answers 4

Reset to default
0

Try using the filter_input function.

Example:

$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING);

or

$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It works when I use just html tags but it doesnt work for everyting. For example when the input is: <a>dljsfkjhdsa</a><br><b><?php echo "good";;; ;::;""'"' <b>....?> hi the output is dljsfkjhdsa ....?> hi with ....?> in bold
I recommend just taking an in depth look at the filter_input function and it's various flags to work out what you need.
0

You can use the strip_tags function, it strips all HTML and PHP tags by default but you can allow some HTML tags (by example a, b, or span, useful in comments).

$message = strip_tags($_POST['message']);
$message = nl2br($message);

or

$message = nl2br($_POST['message']);
$message = strip_tags($message, '<br><br/>');
Improve this answer

5 Comments

Why the downvote? Strip_tags works well, even with the input <a>dljsfkjhdsa</a><br><b><?php echo "good";;; ;::;""'"' <b>....?> hi: 3v4l.org/8m8iv
Don't know about downvote, but you should provide code in an answer. Not just a statement about what a function does. Also note that OP has this function in there code so perhaps it isnt working for them..
Not the hardest function to use, but okay. I've edited my first answer.
This is no difference though than OPs $message = strip_tags($message); and your answer.
I don't know how the OP is testing his code, but using only strip_tags gives the good result. No need for strip_tags_content or htmlentities function in this case.
0

I'm trying to remove any code that a user may have entered in the textarea. I've tried many things, nothing seems to work

But why you want to do that? It's not really the problem on input. If user entered i.e. <script ....> or <h1>foo</h1> it makes no harm. It's usually a problem on output (display) so I'd rather just call htmlspecialchars() on data prior display to "neutralize" HTML tags

Improve this answer

2 Comments

I thought about doing that at first, but the application in my case demands that I should be able to use html tags but not the user. This is actually from a user to user chat (facebook style), and I keep all the messages in a txt file. I need to put link to the user's profile, so this isn't possible.
You mean your code is using HTML tags? If so, how many tags are you using? Just <b> etc or anything possible?
0

You can use the HTMLPurifier class. It is really simple to use.

http://htmlpurifier.org/

Read the documentation!! Here is an example

function Sanitize_Inputs($inputs){
    require_once('.../HTMLPurifier/htmlpurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $purifier = New HTMLPurifier($config);
    foreach ($inputs as $input_name => $valor){
        $inputs[$input_name] = $purifier->purify($valor);
    }
    $purifier=null;
    $config=null;
    return $inputs;
}


$sanitized=Sanitize_Inputs($_POST);
var_dump($sanitized);
exit;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.