PHP Remove JavaScript

Question

I am trying to remove JavaScript from the HTML.

I can't get the regular expression to work with PHP; it's giving me an null array. Why?

<?php
$var = '
<script type="text/javascript"> 
function selectCode(a) 
{ 
   var e = a.parentNode.parentNode.getElementsByTagName(PRE)[0]; 
   if (window.getSelection) 
   { 
      var s = window.getSelection(); 
       if (s.setBaseAndExtent) 
      { 
         s.setBaseAndExtent(e, 0, e, e.innerText.length - 1); 
      } 
      else 
      { 
         var r = document.createRange(); 
         r.selectNodeContents(e); 
         s.removeAllRanges(); 
         s.addRange(r); 
      } 
   } 
   else if (document.getSelection) 
   { 
      var s = document.getSelection(); 
      var r = document.createRange(); 
      r.selectNodeContents(e); 
      s.removeAllRanges(); 
      s.addRange(r); 
   } 
   else if (document.selection) 
   { 
      var r = document.body.createTextRange(); 
      r.moveToElementText(e); 
      r.select(); 
   } 
} 
</script>
';

   function remove_javascript($java){
   echo preg_replace('/<script\b[^>]*>(.*?)<\/script>/i', "", $java);

   }    
?>

Answer 1

this should do it:

echo preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $var); 

/s is so that the dot . matches newlines too.

Just a warning, you should not use this type of regexp to sanitize user input for a website. There is just too many ways to get around it. For sanitizing use something like the http://htmlpurifier.org/ library

Answer 2

This might do more than you want, but depending on your situation you might want to look at strip_tags.

Answer 3

Here's an idea

while (true) {
  if ($beginning = strpos($var,"<script")) {
    $stringLength = (strpos($var,"</script>") + strlen("</script>")) - $beginning;
    substr_replace($var, "", $beginning, $stringLength);
  } else {
    break
  }
}

Answer 4

In your case you could regard the string as a list of newline delimited strings and remove the lines containing the script tags(first & second to last) and you wouldn't even need regular expressions.

Though if what you are trying to do is preventing XSS it might not be sufficient to only remove script tags.

Answer 5

function clean_jscode($script_str) {
    $script_str = htmlspecialchars_decode($script_str);
    $search_arr = array('<script', '</script>');
    $script_str = str_ireplace($search_arr, $search_arr, $script_str);
    $split_arr = explode('<script', $script_str);
    $remove_jscode_arr = array();
    foreach($split_arr as $key => $val) {
        $newarr = explode('</script>', $split_arr[$key]);
        $remove_jscode_arr[] = ($key == 0) ? $newarr[0] : $newarr[1];
    }
    return implode('', $remove_jscode_arr);
}