Examples tested against actual runtime. CI re-verifies continuously. Only documented examples are tested.
How to use
Install via yarn add locutus and import:
import { strip_tags } from 'locutus/php/strings/strip_tags'.
Or with CommonJS: const { strip_tags } = require('locutus/php/strings/strip_tags')
Use a bundler that supports tree-shaking so you only ship the functions you actually use.
Vite,
webpack,
Rollup, and
Parcel
all handle this. For server-side use this is less of a concern.
Examples
These examples are extracted from test cases that automatically verify our functions against their native counterparts.
exportfunctionstrip_tags(input: string | number, allowed?: string): string { // discuss at: https://locutus.io/php/strip_tags/ // parity verified: PHP 8.3 // original by: Kevin van Zonneveld (https://kvz.io) // improved by: Luke Godfrey // improved by: Kevin van Zonneveld (https://kvz.io) // input by: Pul // input by: Alex // input by: Marc Palau // input by: Brett Zamir (https://brett-zamir.me) // input by: Bobby Drake // input by: Evertjan Garretsen // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Onno Marsman (https://twitter.com/onnomarsman) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Eric Nagel // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Tomasz Wesolowski // bugfixed by: Tymon Sturgeon (https://scryptonite.com) // bugfixed by: Tim de Koning (https://www.kingsquare.nl) // revised by: Rafał Kukawski (https://blog.kukawski.pl) // example 1: strip_tags('<p>Kevin</p> <br /><b>van</b> <i>Zonneveld</i>', '<i><b>') // returns 1: 'Kevin <b>van</b> <i>Zonneveld</i>' // example 2: strip_tags('<p>Kevin <img src="someimage.png" onmouseover="someFunction()">van <i>Zonneveld</i></p>', '<p>') // returns 2: '<p>Kevin van Zonneveld</p>' // example 3: strip_tags("<a href='https://kvz.io'>Kevin van Zonneveld</a>", "<a>") // returns 3: "<a href='https://kvz.io'>Kevin van Zonneveld</a>" // example 4: strip_tags('1 < 5 5 > 1') // returns 4: '1 < 5 5 > 1' // example 5: strip_tags('1 <br/> 1') // returns 5: '1 1' // example 6: strip_tags('1 <br/> 1', '<br>') // returns 6: '1 <br/> 1' // example 7: strip_tags('1 <br/> 1', '<br><br/>') // returns 7: '1 <br/> 1' // example 8: strip_tags('<i>hello</i> <<foo>script>world<</foo>/script>') // returns 8: 'hello world' // example 9: strip_tags(4) // returns 9: '4'
// making sure the allowed arg is a string containing only tags in lowercase (<a><b><c>) allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('')
let after = _phpCastString(input) // removes tha '<' char at the end of the string to replicate PHP's behaviour after = after.endsWith('<') ? after.slice(0, -1) : after
// recursively remove tags to ensure that the returned string doesn't contain forbidden tags after previous passes (e.g. '<<bait/>switch/>') while (true) { const before = after after = before.replace(commentsAndPhpTags, '').replace(tags, function ($0: string, $1: string) { return allowed.includes('<' + $1.toLowerCase() + '>') ? $0 : '' })
// return once no more tags are removed if (before === after) { return after } } }
exportfunctionstrip_tags(input, allowed) { // discuss at: https://locutus.io/php/strip_tags/ // parity verified: PHP 8.3 // original by: Kevin van Zonneveld (https://kvz.io) // improved by: Luke Godfrey // improved by: Kevin van Zonneveld (https://kvz.io) // input by: Pul // input by: Alex // input by: Marc Palau // input by: Brett Zamir (https://brett-zamir.me) // input by: Bobby Drake // input by: Evertjan Garretsen // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Onno Marsman (https://twitter.com/onnomarsman) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Eric Nagel // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Tomasz Wesolowski // bugfixed by: Tymon Sturgeon (https://scryptonite.com) // bugfixed by: Tim de Koning (https://www.kingsquare.nl) // revised by: Rafał Kukawski (https://blog.kukawski.pl) // example 1: strip_tags('<p>Kevin</p> <br /><b>van</b> <i>Zonneveld</i>', '<i><b>') // returns 1: 'Kevin <b>van</b> <i>Zonneveld</i>' // example 2: strip_tags('<p>Kevin <img src="someimage.png" onmouseover="someFunction()">van <i>Zonneveld</i></p>', '<p>') // returns 2: '<p>Kevin van Zonneveld</p>' // example 3: strip_tags("<a href='https://kvz.io'>Kevin van Zonneveld</a>", "<a>") // returns 3: "<a href='https://kvz.io'>Kevin van Zonneveld</a>" // example 4: strip_tags('1 < 5 5 > 1') // returns 4: '1 < 5 5 > 1' // example 5: strip_tags('1 <br/> 1') // returns 5: '1 1' // example 6: strip_tags('1 <br/> 1', '<br>') // returns 6: '1 <br/> 1' // example 7: strip_tags('1 <br/> 1', '<br><br/>') // returns 7: '1 <br/> 1' // example 8: strip_tags('<i>hello</i> <<foo>script>world<</foo>/script>') // returns 8: 'hello world' // example 9: strip_tags(4) // returns 9: '4'
// making sure the allowed arg is a string containing only tags in lowercase (<a><b><c>) allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('')
let after = _phpCastString(input) // removes tha '<' char at the end of the string to replicate PHP's behaviour after = after.endsWith('<') ? after.slice(0, -1) : after
// recursively remove tags to ensure that the returned string doesn't contain forbidden tags after previous passes (e.g. '<<bait/>switch/>') while (true) { const before = after after = before.replace(commentsAndPhpTags, '').replace(tags, function ($0, $1) { return allowed.includes('<' + $1.toLowerCase() + '>') ? $0 : '' })
// return once no more tags are removed if (before === after) { return after } } }
function_phpCastString(value: CastStringValue): string { // original by: Rafał Kukawski
if (typeof value === 'boolean') { return value ? '1' : '' } if (typeof value === 'string') { return value } if (typeof value === 'number') { if (isNaN(value)) { return'NAN' }
return value + '' } if (typeof value === 'undefined') { return'' } if (typeof value === 'object') { if (Array.isArray(value)) { return'Array' }
if (value !== null) { return'Object' }
return'' }
thrownewError('Unsupported value type') }
// php/strings/strip_tags (target function module) functionstrip_tags(input: string | number, allowed?: string): string { // discuss at: https://locutus.io/php/strip_tags/ // parity verified: PHP 8.3 // original by: Kevin van Zonneveld (https://kvz.io) // improved by: Luke Godfrey // improved by: Kevin van Zonneveld (https://kvz.io) // input by: Pul // input by: Alex // input by: Marc Palau // input by: Brett Zamir (https://brett-zamir.me) // input by: Bobby Drake // input by: Evertjan Garretsen // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Onno Marsman (https://twitter.com/onnomarsman) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Eric Nagel // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Tomasz Wesolowski // bugfixed by: Tymon Sturgeon (https://scryptonite.com) // bugfixed by: Tim de Koning (https://www.kingsquare.nl) // revised by: Rafał Kukawski (https://blog.kukawski.pl) // example 1: strip_tags('<p>Kevin</p> <br /><b>van</b> <i>Zonneveld</i>', '<i><b>') // returns 1: 'Kevin <b>van</b> <i>Zonneveld</i>' // example 2: strip_tags('<p>Kevin <img src="someimage.png" onmouseover="someFunction()">van <i>Zonneveld</i></p>', '<p>') // returns 2: '<p>Kevin van Zonneveld</p>' // example 3: strip_tags("<a href='https://kvz.io'>Kevin van Zonneveld</a>", "<a>") // returns 3: "<a href='https://kvz.io'>Kevin van Zonneveld</a>" // example 4: strip_tags('1 < 5 5 > 1') // returns 4: '1 < 5 5 > 1' // example 5: strip_tags('1 <br/> 1') // returns 5: '1 1' // example 6: strip_tags('1 <br/> 1', '<br>') // returns 6: '1 <br/> 1' // example 7: strip_tags('1 <br/> 1', '<br><br/>') // returns 7: '1 <br/> 1' // example 8: strip_tags('<i>hello</i> <<foo>script>world<</foo>/script>') // returns 8: 'hello world' // example 9: strip_tags(4) // returns 9: '4'
// making sure the allowed arg is a string containing only tags in lowercase (<a><b><c>) allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('')
let after = _phpCastString(input) // removes tha '<' char at the end of the string to replicate PHP's behaviour after = after.endsWith('<') ? after.slice(0, -1) : after
// recursively remove tags to ensure that the returned string doesn't contain forbidden tags after previous passes (e.g. '<<bait/>switch/>') while (true) { const before = after after = before.replace(commentsAndPhpTags, '').replace(tags, function ($0: string, $1: string) { return allowed.includes('<' + $1.toLowerCase() + '>') ? $0 : '' })
// return once no more tags are removed if (before === after) { return after } } }
if (typeof value === 'boolean') { return value ? '1' : '' } if (typeof value === 'string') { return value } if (typeof value === 'number') { if (isNaN(value)) { return'NAN' }
return value + '' } if (typeof value === 'undefined') { return'' } if (typeof value === 'object') { if (Array.isArray(value)) { return'Array' }
if (value !== null) { return'Object' }
return'' }
thrownewError('Unsupported value type') }
// php/strings/strip_tags (target function module) functionstrip_tags(input, allowed) { // discuss at: https://locutus.io/php/strip_tags/ // parity verified: PHP 8.3 // original by: Kevin van Zonneveld (https://kvz.io) // improved by: Luke Godfrey // improved by: Kevin van Zonneveld (https://kvz.io) // input by: Pul // input by: Alex // input by: Marc Palau // input by: Brett Zamir (https://brett-zamir.me) // input by: Bobby Drake // input by: Evertjan Garretsen // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Onno Marsman (https://twitter.com/onnomarsman) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Eric Nagel // bugfixed by: Kevin van Zonneveld (https://kvz.io) // bugfixed by: Tomasz Wesolowski // bugfixed by: Tymon Sturgeon (https://scryptonite.com) // bugfixed by: Tim de Koning (https://www.kingsquare.nl) // revised by: Rafał Kukawski (https://blog.kukawski.pl) // example 1: strip_tags('<p>Kevin</p> <br /><b>van</b> <i>Zonneveld</i>', '<i><b>') // returns 1: 'Kevin <b>van</b> <i>Zonneveld</i>' // example 2: strip_tags('<p>Kevin <img src="someimage.png" onmouseover="someFunction()">van <i>Zonneveld</i></p>', '<p>') // returns 2: '<p>Kevin van Zonneveld</p>' // example 3: strip_tags("<a href='https://kvz.io'>Kevin van Zonneveld</a>", "<a>") // returns 3: "<a href='https://kvz.io'>Kevin van Zonneveld</a>" // example 4: strip_tags('1 < 5 5 > 1') // returns 4: '1 < 5 5 > 1' // example 5: strip_tags('1 <br/> 1') // returns 5: '1 1' // example 6: strip_tags('1 <br/> 1', '<br>') // returns 6: '1 <br/> 1' // example 7: strip_tags('1 <br/> 1', '<br><br/>') // returns 7: '1 <br/> 1' // example 8: strip_tags('<i>hello</i> <<foo>script>world<</foo>/script>') // returns 8: 'hello world' // example 9: strip_tags(4) // returns 9: '4'
// making sure the allowed arg is a string containing only tags in lowercase (<a><b><c>) allowed = (((allowed || '') + '').toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('')
let after = _phpCastString(input) // removes tha '<' char at the end of the string to replicate PHP's behaviour after = after.endsWith('<') ? after.slice(0, -1) : after
// recursively remove tags to ensure that the returned string doesn't contain forbidden tags after previous passes (e.g. '<<bait/>switch/>') while (true) { const before = after after = before.replace(commentsAndPhpTags, '').replace(tags, function ($0, $1) { return allowed.includes('<' + $1.toLowerCase() + '>') ? $0 : '' })
// return once no more tags are removed if (before === after) { return after } } }
Improve this function
Locutus is a community effort following
The McDonald's Theory:
we ship first iterations, hoping others will improve them.
If you see something that could be better, we'd love your contribution.