Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I am using a form with TinyMce editor. I'm trying to allow
<p> <div> <em> <strong> <ul> <ol> <li>
elements while at the same time removing < script > tags. For some reason when I get the input from the form it is already escaped and looks like this:
<p>hello world</p>
<p>< script > alert('hi'); < /script > </p>
<p></p>
<p></p>
I'm setting this data to a dirtyInput array and running it through this foreach loop:
//validate the input based on Note.php rules
$validation = Validator::make($dirtyInput = Input::except('mbo_appointment_id'), Quickernotes\Note::$rules);
if($validation->fails())
{
return \Redirect::back()->withInput()->withErrors($validation);
}
//strip out not allowed tags
$input = [];
foreach($dirtyInput as $key => $val){
$input += [$key => strip_tags($val, '<p> <div> <ol> <ul> <li> <strong> <em>') ];
}
After this loop I save the input to the database. When I pass this data back to the view the alert still pop's up on the screen! I'm also using the {{{triple curly braces}}} in blade templates.
What am I doing wrong?
Is it possible that tinymce is escaping things on the clientside for you? Otherwise, it's not clear to me where your problem might be. The 'alert still pops up' doesn't give us much to go on. :) Could you be more specific as to where your problem lies? Is the data getting saved to the database as you'd expect? Posting your view / controller code may help too.
Why don't you simply create a helper that will remove all unwanted tags?
What I mean by the alert still pops up is this. When I load the view with this text in it the javascript is executed and an alert box pops up in the browser with the text "hi". Just as you'd expect if you were allowing scripts to be stored. I think that since the tags are already decoded the strip_tags function isn't working to remove them. Would that be a correct assumption?
Also the code that I have in my first post is the controller code for the store method, aside from the call to the repository to actually store it.
@RachidLaasri: when you say create a helper to remove all unwanted tags could you be more specific? You mean to abstract the code that I have:
//strip out not allowed tags
$input = [];
foreach($dirtyInput as $key => $val){
$input += [$key => strip_tags($val, '<p> <div> <ol> <ul> <li> <strong> <em>') ];
}
to another method? Or to a helpers class? Or something altogether different?
Thanks for you help.
The problem as i see strip_tags don't delete "script" from your code, because it's already converted to entities,
What i meant is to create a function that will convert entities to tags and then apply the strip_tags function.
function my_custom_function($dirtyInput ){
$tags = html_entity_decode($dirtyInput);
return strip_tags($tags, '<p> <div> <ol> <ul> <li> <strong> <em>');
}
so that you can use it like this :
$input = [];
foreach($dirtyInput as $key => $val){
$input += [$key => my_custom_function($val) ];
}
Why not simply use the nice Purifier ?
Either what @RachidLaasri mentioned or look into if tinymce or something related is causing those script entities to be changed to the < type.
Thanks for the advice. It is TinyMce that is encoding the script tags. Went with your answer and it worked like a charm.
You are welcome ;)
Please or to participate in this conversation.