PHP: How to strip HTML tag while allowing < and >

Question

Question: How do I strip HTML tags but allow the greater and less-than sign using PHP?

If I used PHP's strip_tags() function, it doesn't quite work:

$string = '<p>if A > B</p>'
echo strip_tags($string);  // if A B
// but I want to output "if A > B"

UPDATE

Basically, I only want to allow/display plain text.

You know you shouldn't have < and > in HTML anyway? You should use character entities instead such as < and > - the browser will render them as < and > — Tamas Czinege, Jan 03 '10 at 23:01
@DrJokepu, so if I use htmlspecialchars(), that encodes the > to > but doesn't strip tags. Basically, I only want to allow plain-text. What's the simplest way to do that? — TimTim, Jan 03 '10 at 23:52
@SpliFF - no it isn't invalid. Add a doctype and a title element, and try it via the direct input box at http://validator.w3.org/check. — Alohci, Jan 04 '10 at 01:21
Related question: http://stackoverflow.com/questions/1996344/is-preventing-xss-and-sql-injection-as-easy-as-does-this IMHO just leave `strip_tags()` aside and go ahead with `htmlspecialchars()`. No need to exagerrate this. — BalusC, Jan 04 '10 at 01:50

score 4 · Answer 1 · edited May 23 '17 at 12:13

4

You can use HTML Purifier this will not only work with the if A > B example which you wrote, but also the example 1<2 && 6>4 written by DrJokepu.

Given the input 1<2 && 6>4 with the allowed elements set to none, HTML purifier gives the output: 1<2 && 6>4.

edited May 23 '17 at 12:13

Community

1
1

answered Jan 03 '10 at 23:39

Tommy Andersen

7,165
1
31
50

score 0 · Answer 2 · answered Jan 03 '10 at 23:06

0

This will strip everything that looks like an HTML tag.

htmlentities(preg_replace('/<\\S.*?>/', '', $text));

answered Jan 03 '10 at 23:06

amphetamachine

27,620
12
60
72

2

This will fail on
1<2 && 6>4
- see http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454 – Tamas Czinege Jan 03 '10 at 23:11

Brian Agnew · Answer 3 · 2010-01-03T23:40:34.153

0

Unfortunately the simplest and most reliable way to get this working is to use an HTML parser. This one will do the trick. I don't know if it'll handle HTML fragments like the above. If not, then wrapping to make it acceptable HTML should be trivial.

As others are pointing out, parsing HTML with a regexp has numerous edge cases to cater for, and difficulty, since HTML is not regular.

edited Jan 03 '10 at 23:40

answered Jan 03 '10 at 23:35

Brian Agnew

268,207
37
334
440

score 0 · Answer 4 · answered Apr 14 '10 at 14:53

0

Try this regular expression that I wrote: <([^>]?="(\"|[^"])?")?([^>]?=''(\''|[^''])?'')?[^>]*?>

answered Apr 14 '10 at 14:53

shellster

1,091
1
10
21

score 0 · Answer 5 · answered Dec 10 '10 at 00:27

0

Use:

<p><?php echo htmlspecialchars("if A > B") ?></p>

(of course you can use any input instead of literal string)

htmlspecialchars() converts plain text to HTML text, preserving < and >.

answered Dec 10 '10 at 00:27

Kornel

97,764
37
219
309

It doesn't strip HTML tags, as the OP asked. – Marcel Korpel Dec 10 '10 at 00:44

PHP: How to strip HTML tag while allowing < and >

5 Answers5