php strip_tags: allows <br />?

Question

How it is possible to allow <br /> in strip_tags() or any way I can get around to it?

<?php
$text = '<p>Test <br />paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p>, <a>, <br />
echo strip_tags($text, '<p><a><br />');
echo "\n";

// Allow <br /> only
echo strip_tags($text, '<br />');
?>

result:

Test paragraph. Other text
<p>Test paragraph.</p> <a href="#fragment">Other text</a>
Test paragraph. Other text

Thanks, Lau

Answer 1

Don't use a self-closing tag name? echo strip_tags($text, '<br>');

The strip_tags() function's allowable_tags argument takes the allowed tags in the form <tagname> The reason your code didn't work was because you used <br /> instead of <br>.

Answer 2

strip_tags is not intended as a security measure, and using it with allowable_tags is definitely insecure, as it'll let through event handler and other harmful attributes.

If you want to allow user input with a few whitelisted elements and attributes you'll need to use a HTML-sanitising library with a proper HTML parser. See for example HTML purifier.

It's usually better for user comments not to give the user control over the HTML markup at all, but instead to accept raw text, HTML-escape it on output, and do replacements to generate markup from text (eg: \n -> <br>, \n\n -> </p><p>, link detection).

Answer 3

Whitespace is also not allowed in tags: http://php.net/manual/en/function.strip-tags.php (see 2nd note)