Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:10384 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 33669 invoked by uid 1010); 10 Jun 2004 13:33:47 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 32421 invoked by uid 1007); 10 Jun 2004 13:33:35 -0000 To: internals@lists.php.net Date: Thu, 10 Jun 2004 16:33:13 +0300 Organization: none Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.50 (Win32, build 3778) X-Posted-By: 217.23.116.150 Subject: strip_tags() discussion From: valyala@tut.by ("Alexander Valyalkin") What sense of the [allowable_tags] parameter in strip_tags()? According docs, "You can use the optional second parameter to specify tags which should not be stripped". Ok. Suppose, I have a PHP-guestbook and use strip_tags() to filter all tags, excepting ,, in users' messages. Then a "cool-hacker" enters the following string in my guestbook: THE MATRIX HAS YOU :) I see following decisions of the problem: 1) strip ALL tags by hands. The current version of function strip_tags() cannot be used for this operation. See below explanation 2) use "pseudotags" like BBCode in PHPbb 3) do not strip any tags, but perform htmlspecialchars() before output 4) write new strip_tags(), which must strip all tags and cut ANY chars after allowable tags. In the example above it must leave: THE MATRIX HAS YOU :) Propose any other way if you know it. What way is better? The last one on my opinion. And now I'll show some examples, which will explain the wrong behavior of the current version of strip_tags(): 1) the bold string 2) the hidden string 3) any HTML after the HTML-comment will be stripped. 4) '?>test the list coud be continued... -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/