Question:
I want to allow the use of tags: <b>, <i>, <kbd> и т.д. …
Therefore, in the code I use the strip_tags() function, but it removes the html, php tags . In turn, htmlspecialchars() simply replaces them with the corresponding characters, which means that if I later use them htmlspecialchars_decode ( htmlspecialchars_decode ), then all tags will be displayed, NOT escaped , which threatens security.
How to allow displaying only some tags, or can it still use strip_tags , but with a chance of inconvenience for the user (even though the user who wants to use them is far from being the user :)) ?
Answer:
Alternatively, make a white list for certain tags, and delete those that are not in this list.
Let's say the tags <b> and <i> are allowed. We start some collection in which we put these 2 tags. Next, we create a regular expression that identifies the tag. After that, we sequentially search for any tags by this regular expression in the input string and, if the tag is not contained in our collection, replace it with an empty string.