PHP功能去除标签,除了列入白名单的标签和属性 [英] PHP function to strip tags, except a list of whitelisted tags and attributes
问题描述
我必须从用户输入中除去所有HTML标签和属性,除了那些被认为是安全的标签和属性(即白名单方法)。
strip_tags()去除 $ allowable_tags
参数。但我也需要能够剥离所有未列入白名单的属性;例如,我想允许< b>
标签,但我不想让 onclick
属性是显而易见的原因。
是否有一个函数可以做到这一点,还是我必须自己做?
据我所知, strip_tags
最快的方式来摆脱不需要的标签,并禁止第三方包,检查允许的属性将很容易在DOMDocument,
$ string = strip_tags($ string,'< b>');
$ dom = new DOMDocument();
$ dom-> loadHTML($ string);
$ allowed_attributes = array('id');
foreach($ dom-> getElementsByTagName('*')as $ node){
for($ i = $ node-> attributes-> length -1; $ i> = 0 ; $ i - ){
$ attribute = $ node-> attributes-> item($ i);
if(!in_array($ attribute-> name,$ allowed_attributes))$ node-> removeAttributeNode($ attribute);
}
}
var_dump($ dom-> saveHTML());
I have to strip all HTML tags and attributes from a user input except the ones considered "safe" (ie, a white list approach).
strip_tags() strips all tags except the ones listed in the $allowable_tags
parameter. But I also need to be able to strip all the not whitelisted attributes; for example, I want to allow the <b>
tag, but I don't want to allow the onclick
attribute for obvious reasons.
Is there a function to do that, or will I have to make my own?
As far as I know, the strip_tags
solution is about the fastest way to get rid of unwanted tags, and barring 3rd party packages, checking for allowable attributes would be quite easy in DOMDocument,
$string = strip_tags($string,'<b>');
$dom = new DOMDocument();
$dom->loadHTML($string);
$allowed_attributes = array('id');
foreach($dom->getElementsByTagName('*') as $node){
for($i = $node->attributes->length -1; $i >= 0; $i--){
$attribute = $node->attributes->item($i);
if(!in_array($attribute->name,$allowed_attributes)) $node->removeAttributeNode($attribute);
}
}
var_dump($dom->saveHTML());
这篇关于PHP功能去除标签,除了列入白名单的标签和属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!