php strip_tags: allows <br />?

Question

Hi,

How it is possible to allow <br /> in strip_tags() or any way I can get around to it?

<?php
$text = '<p>Test <br />paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p>, <a>, <br />
echo strip_tags($text, '<p><a><br />');
echo "\n";

// Allow <br /> only
echo strip_tags($text, '<br />');
?>

result:

Test paragraph. Other text
<p>Test paragraph.</p> <a href="#fragment">Other text</a>
Test paragraph. Other text

Thanks, Lau

Answer 1

Don't use a self-closing tag name? echo strip_tags($text, '<br>');

The strip_tags() function's allowable_tags argument takes the allowed tags in the form <tagname> The reason your code didn't work was because you used <br /> instead of <br>.

Answer 2

Ya you can mix one or more tag to be striped same time.

string strip_tags ( string $str [, string $allowable_tags ] )

check documentation

• http://php.net/manual/en/function.strip-tags.php

if you want to strip new line as well solution will be before stripping you can use nl2br

• http://php.net/manual/en/function.nl2br.php

so

echo strip_tags(nl2br($text), '<br>');

Answer 3

strip_tags is not intended as a security measure, and using it with allowable_tags is definitely insecure, as it'll let through event handler and other harmful attributes.

If you want to allow user input with a few whitelisted elements and attributes you'll need to use a HTML-sanitising library with a proper HTML parser. See for example HTML purifier.

It's usually better for user comments not to give the user control over the HTML markup at all, but instead to accept raw text, HTML-escape it on output, and do replacements to generate markup from text (eg: \n -> <br>, \n\n -> </p><p>, link detection).