4

Since I dont want to use stip_tags function of php instead of I want to replace <script> and </script> to empty string so that output should be alert(1).

Input:- <script>alert(1)</script>

Output:- alert(1)

how to achieve it.

Improve this question

6 Answers 6

Reset to default
16

Either use a simple replace:

$string = str_replace(array("<script>","</script>"), "");

or a RegEx:

$string = preg_replace("/<script.*?>(.*)?<\/script>/im","$1",$string);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Be careful: The regex does not recognize new lines. Add the s-flag (/ims) to fix that.
2

Easy way is using StripTags.

go to StripTags github and download or install via composer. this class has a method called only that do this for you!

use Mimrahe\StripTags\Stripper;
$stripper = new Stripper();
$stripper->text('<a href="#">link</a><p>some paragraph</a>');
$stripper->only(['p']);
echo $stripper->strip(); // prints '<a href="#">link</a>some paragraph'
Improve this answer

Comments

2

I guess you want to prevet XSS attacks, you shouldn't merely worry about script tags, someone might exploit it like this: <a href="http://anywhere.com" onClick="alert(1);">test</a> (this is a very basic way though).

If you only want the script tag, with no attributes, to be filtered:

str_replace(array('<script>', '</script>'), array('', ''), $str);

You should improve this using Regex; using preg_match'es and preg_replaces (or only preg_replaces) you can match and/or replace the script tag with its attributes. Or even have more protection against XSS.

Edit: or even a regex like /<script>(.+)<\/script>/ then store what between the brackets into a variable then print it.

Improve this answer

Comments

0

Try this comrade..

$strn = "<script>alert(1)</script>";
$ptrn = "=^<script>(.*)</script>$=i";

echo preg_match( $ptrn, $strn, $mtchs ); // 0 means fail to matche and 1 means matches was found!
var_dump( $mtchs );

results in 

1array(2) { 
    [0]=> string(25) "" 
    [1]=> string(8) "alert(1)" 
}
Improve this answer

Comments

-2

You can always use strip_tags() with a second parameter containing the allowable tags.

Alternativly, use...

preg_replace('/<script>(.*)</script>/i', '$1', $input);

Note, not tested.

Improve this answer

2 Comments

So add the tags you don't want to remove to the second parameter.
Don't make me repeat myself :/
-2 
echo strip_tags($text, '<p><strong><a>');

Just state the ones you dont want removed in the second param

Improve this answer

2 Comments

Doesn't solve the issue. Would remove the node inside the tags. The example shows stripping the tags, but not the contents.
-1 Doesn't address the question at all. First off, OP said "I dont want to use stip_tags". Secondly, what if this were stripping tags for an entire html file? It is completely unreasonable to expect an entirely comprehensive list of all possible html tags to exist.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.