Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:10386
Return-Path: <cschneid@cschneid.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 45101 invoked by uid 1010); 10 Jun 2004 13:51:06 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 43620 invoked from network); 10 Jun 2004 13:50:54 -0000
Received: from unknown (HELO xaxa.search.ch) (195.141.85.117)
  by pb1.pair.com with SMTP; 10 Jun 2004 13:50:54 -0000
Received: from localhost (localhost [127.0.0.1])
	by xaxa.search.ch (Postfix) with ESMTP
	id 169686DB99; Thu, 10 Jun 2004 15:50:54 +0200 (CEST)
Received: by xaxa.search.ch (Postfix, from userid 65534)
	id CC36B6DB98; Thu, 10 Jun 2004 15:50:52 +0200 (CEST)
Received: from cschneid.com (ultrafilter-i [192.168.85.2])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by xaxa.search.ch (Postfix) with ESMTP
	id 2FF726DB97; Thu, 10 Jun 2004 15:50:52 +0200 (CEST)
Message-ID: <40C8673B.1000602@cschneid.com>
Date: Thu, 10 Jun 2004 15:50:51 +0200
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
X-Accept-Language: en-us, en, de-ch
MIME-Version: 1.0
To: Alexander Valyalkin <valyala@tut.by>
Cc: internals@lists.php.net
References: <opr9drxnsit8r34v@valyala>
In-Reply-To: <opr9drxnsit8r34v@valyala>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xaxa.search.ch
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
	version=2.63
X-Virus-Scanned: by AMaViS 0.3.12pre8
Subject: Re: strip_tags() discussion
From: cschneid@cschneid.com (Christian Schneider)

Alexander Valyalkin wrote:
> What sense of the [allowable_tags] parameter in strip_tags()?
> 
> According docs, "You can use the optional second parameter to specify
> tags which should not be stripped".

strip_tags alone is indeed not enough to make sure the input is safe to 
display inside your web page. But even if you'd remove all attributes 
from the tags you still have the problem that you're not checking if the 
input is valid html.

I once wrote a userland function which a) validated the input to ensure 
xml conformance and b) stripped all but certain tags/attributes 
combinations. Requires input to be xhtml but makes the tests much easier.

But to be honest I think most of the time it is much better to simply 
disallow HTML and use htmlspecialchars() on user input.

I'd leave strip_tags as it is, it's still useful in some cases where you 
want to strip certain information for internal processing but you don't 
include its output in a webpage.

- Chris