Q. Explain strip_tags() in PHP
In PHP, strip_tags() is a function used to remove HTML and PHP tags from a string. It's primarily used for sanitizing user input to prevent cross-site scripting (XSS) attacks by removing any potentially harmful HTML or PHP code before displaying the content to users.
Here's the basic syntax of strip_tags():
phpstring strip_tags ( string $str [, string $allowable_tags ] )
$str: The input string from which HTML and PHP tags will be stripped.$allowable_tags(optional): A string containing a list of tags that should not be removed. If specified, only the tags listed in this string will be preserved; all other tags will be removed.
If $allowable_tags is not provided, strip_tags() removes all HTML and PHP tags from the input string.
Example without $allowable_tags:
php$input = '<p>Hello <b>world</b>!</p>';
$output = strip_tags($input);
echo $output;
// Output: Hello world!
In this example, <p> and <b> tags are removed from the input string, leaving only the text "Hello world!".
Example with $allowable_tags:
php$input = '<p>Hello <b>world</b>! <a href="#">Click here</a></p>';
$output = strip_tags($input, '<b>');
echo $output;
// Output: Hello <b>world</b>!
In this example, only the <b> tag is preserved because it's listed in the $allowable_tags parameter. All other tags, including <p> and <a>, are removed from the input string.
It's important to note that while strip_tags() can help mitigate XSS attacks by removing HTML and PHP tags, it's not foolproof and should not be relied upon as the sole method of sanitizing user input. Other techniques such as input validation, output encoding, and context-specific sanitization should also be used to ensure the security of your PHP applications.
No comments:
Post a Comment