(PHP 4, PHP 5, PHP 7)
strip_tags — Strip HTML and PHP tags from a string
$str
[, string $allowable_tags
] ) : string
This function tries to return a string with all NULL bytes, HTML and PHP tags stripped
from a given str
. It uses the same tag stripping
state machine as the fgetss() function.
str
The input string.
allowable_tags
You can use the optional second parameter to specify tags which should not be stripped.
Note:
HTML comments and PHP tags are also stripped. This is hardcoded and can not be changed with
allowable_tags
.
Note:
In PHP 5.3.4 and later, self-closing XHTML tags are ignored and only non-self-closing tags should be used in
allowable_tags
. For example, to allow both <br> and <br/>, you should use:<?php
strip_tags($input, '<br>');
?>
Returns the stripped string.
Version | Description |
---|---|
5.3.4 |
strip_tags() ignores self-closing XHTML
tags in
allowable_tags .
|
Example #1 strip_tags() example
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";
// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>
The above example will output:
Test paragraph. Other text <p>Test paragraph.</p> <a href="#fragment">Other text</a>
This function should not be used to try to prevent XSS attacks. Use more appropiate functions like htmlspecialchars() or other means depending on the context of the output.
Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected.
This function does not modify any attributes on the tags that you allow
using allowable_tags
, including the
style and onmouseover attributes
that a mischievous user may abuse when posting text that will be shown
to other users.
Note:
Tag names within the input HTML that are greater than 1023 bytes in length will be treated as though they are invalid, regardless of the
allowable_tags
parameter.