0

I have a CMS where I let the user to upload JS and HTML code and I want them use all possible HTML tags, and only tags I want to restrict are <PHP ?> and <? ?>

I know we have strip_tags but it only have the option of allow tags. I want something similar but with the option of ban tags.

Thanks

Improve this question
6
  • It is Core PHP, not any particular framework or CMS Commented Jan 16, 2014 at 14:29
  • What about preg_match? Commented Jan 16, 2014 at 14:30
  • Do you need the content to be removed as well or just the tags? Commented Jan 16, 2014 at 14:34
  • Use HTML purifier. It gives you FAR better control over html sanitization than strip_tags ever will. Commented Jan 16, 2014 at 14:42
  • @TiiJ7, Also Content betwee the tags. THanks Commented Jan 16, 2014 at 14:43

4 Answers 4

Reset to default
1 
<?php
 $string='this string contains <?php tag';
 $string=str_replace('<?php','',$string);    // same can be done for '?>'
 echo $string;
?>

Demo

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

if the tags are only these, you can use preg_replace function: 

$string = '<?php content ?>';
$string = preg_replace('/(<\?php|<\?|\?>)/i', '', $string);
echo $string;

it will output content

more information here: http://www.php.net/manual/en/function.preg-replace.php

Improve this answer

1 Comment

Downvoted, need to implement a better example, and the link should be only reference to what you are saying to avoid errors if the link goes dead
0

This can't be done with strip tags as that function only handles html tags, and technically speaking, php open/close tags are not html.

What you could do is use a regular expression for simply matching the strings in context where they could mean something... It's a bit of a broad replace but not a terrible assumption that any tags in this format are meant to be open/close tags and can thus be filtered out:

$result = preg_replace('/<\?php|<\?|\?>/im', '', $content);
Improve this answer

3 Comments

Oh. Goody... regexes on html... and on html that's probably full of nasty syntax errors because it's user-submitted as well. You might as well just have $result = null for more reliable results.
@MarcB that's not a regex over html [in order to parse and get content], that's just a way to prevent harmful code execution.
@MarcB nice rant but I believe it is a bit misplaced here... I don't see how regexing out those tags modifies html in any way. If preserving the original input is a goal then the files should be stored and served in a way it's never parsed by php, but that's besides the point...
0

I first want to note that unless you are using eval, this shouldn't really be a problem, but anyway, my solution:

do {
    $content = preg_replace('/(<\\?.*?(\\?>|$))/si', '', $content, -1, $count);
} while($count);

If you're wondering why it's in a loop, it's because hackers can be quite ingenious: <<? ?>?php

This also removes the content between tags.

It will also remove other Processing Instruction tags (like <?xml).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.