Sanitize to remove html

[designermonkey]

Do you have any suggestions on how to remove html during sanitization?

[pmjones]

Depends on your paranoia level. The strip_tags() function lightweight in that it's built-in to PHP, though it may not catch all cases. On the other end of the spectrum, HTMLPurifier is apparently the gold standard, but it's a lot more code to support and interface with. In the middle is DOM, which is built-in but requires some work on your part.

Does that begin to help?

[designermonkey]

I took your advice and found a good function that regex strips tags, and then runs through strip tags. I have a problem though.

        $f->sanitize('title')->to('callback', function ($subject, $field) {
            if (function_exists('strip_html_tags')) {
                $subject->$field = strip_html_tags($subject->$field);
            }

            return true;
        });

Based on the example in the docs. Problem is it allows the string intact with tags through the sanitize function. I've verified that my strip_html_tags function works.

[harikt]

How about write a test to show this is not working as expected?

Either you may want to go on : https://github.com/auraphp/Aura.Filter/blob/2.x/tests/SubjectFilterTest.php or in https://github.com/auraphp/Aura.Filter/blob/2.x/tests/Rule/Sanitize/AbstractSanitizeTest.php , https://github.com/auraphp/Aura.Filter/blob/2.x/tests/Rule/Sanitize/CallbackTest.php .

Thank you.

[harikt]

@designermonkey also I wonder whether it is really going inside the if (function_exists('strip_html_tags')) { . Do you have namespace etc on that class? In that case probably it may not be. Try exit inside and see for a quick test.

[designermonkey]

Turns out it was me being a muppet. I return a request instance from my filter functionality, and had neglected to add the filtered input back to the immutable instance.

Sorry chaps. Thanks for your time though.