safe html filtering with php ?

Question

function validCleanHtml( $unclosedString )
{
    preg_match_all( "/<([^\/]\w*)>/", $closedString = $unclosedString, $tags );
    for ( $i = count( $tags[1] ) - 1; $i >= 0; $i-- )
    {
        $tag = $tags[1][$i];
        if ( substr_count( $closedString, "</$tag>" ) < substr_count( $closedString, "<$tag>" ) )
            $closedString .= "</$tag>";
    }
    $validTags = "<em><strong>";
    $validClosedString = strip_tags( $closedString, $validTags );
    return $validClosedString;

}

ok what i want is to enable 2 html, em and strong, is this just secure from xss ? if not how can we secure it ?

Thanks

Adam Ramadhan

Answer 1

I think that strip_tags holds the answer.

http://us2.php.net/strip_tags

Rather than enabling certain fields, you could also remove the ones you don't want. Namely: link, style, script, iframe, frame

Answer 2

Have you looked at any existing solutions like htmlpurifier? You really don't want to write your own HTML parser - and certainly not with regular expressions.