Original: PHP instance-output secure HTML code
// output-safe HTML
function h ($text, $tags = null) {
$text = trim($text);
// Fully filtered annotations
$text = preg_replace('/<!--?. *-->/', ',$text);
// full filter Dynamic code
$text = preg_replace('/<\?| \?‘.‘ >/', ',$text);
// Full Filter JS
$text = preg_replace('/<script?. *\/script>/', ',$text);
$text = str_replace(' [', ' & #091; ',$text);
$text = str_replace('] ', ' & #093; ',$text);
$text = str_replace(' | ', ' & #124; ',$text);
// filter line breaks
$text = preg_replace('/\r?\n/', ' ',$text);
//BR
$text = preg_replace('/<br (\s\/)? '. ' >/i ', ' [BR] ',$text);
$text = preg_replace('/(\[br\]\s*) {10,}/i ', ' [BR] ',$text);
// filter on risky properties such as: Filter on event lang JS
while (preg_match('/(<[^><]+) (LANG|ON|ACTION|BACKGROUND|CODEBASE|DYNSRC|LOWSRC) [^><]+/i ',$text,$mat)) {
$text=str_replace($mat[0],$mat[1],$text);
}
While (preg_match('/(<[^><]+) (window\.| javascript:|js:|about:|file:|document\.| Vbs:|cookie) ([^><]*)/I ',$text,$mat)) {
$text=str_replace($mat[0],$mat[1]. $mat[3],$text);
}
if(empty($tags)) {
$tags = ' table|td|th|tr|i|b|u|strong|img|p|br|div|strong|em|ul|ol|li|dl|dd|dt|a ';
}
// Allowed HTML Tags
$text = preg_replace('/< ('. $tags. ') ([^><\[\]]*) >/i ', ' [\1\2] ',$text);
// filter Extra HTML
$text = preg_replace('/<\/? ( html|head|meta|link|base|basefont|body|bgsound|title|style|script|form|iframe|frame|frameset|applet|id|ilayer| layer|name|script|style|xml) [^><]*>/i ', ',$text);
// Filter Legitimate HTML tags
while (preg_match('/< ([a-z]+) [^><\[\]]*>[^><]*<\/\1>/i ',$ Text,$mat)) {
$text=str_replace($mat[0],str_replace(' > ', '] ',str_ Replace(' < ', ' [',$mat[0])),$text);
}
// Convert quotation marks
while (preg_match('/(\[[^\[\]]*=\s*) (\ "|\ ') ([^\2=\[\]]+) \2 ([^\[\]]*\])/I ',$text ,$mat)) {
$text=str_replace($mat[0],$mat[1]. ' | '. $mat [3]. ' | '. $mat [4],$text);
}
// filter the wrong single quotation marks
while (preg_match('/\[[^\[\]]* (\ "|\ ') [^\[\]]*\]/i ',$text,$mat)) {
$text=str_replace($mat[0],str_replace($mat[1], ", $mat [0]),$text);
}
// Convert all other illegal < >
$text = str_replace(' < ', ' < ',$text);
$text = str_replace(' > ', ' > ',$text);
$text = str_replace(' "', ' " ',$text);
// Inverse Conversion
$text = str_replace(' [', ' < ',$text);
$text = str_replace('] ', ' > ',$text);
$text = str_replace(' | ', ' "',$text);
// Filter Extra Spaces
$text = str_replace(', ', ',$text);
return $text;
}
PHP Instance--Output secure HTML code