Zend_Filter_StripTags ignoring allowed tags and attributes

Question

I'm trying to use the following code and it still strips out all the tags. Am I doing something wrong? I'm using the newest V1.10

$allowed_tags = array('img', 'object', 'param', 'embed', 'a', 'href', 'p', 'br', 'em', 'strong', 'li', 'ol', 'span');
$allowed_attributes = array('style', 'src', 'alt', 'href', 'width', 'height', 'value', 'name', 'type', 'embed', 'quality', 'pluginspage');
Zend_Loader::loadClass('Zend_Filter_StripTags');
$html_filter = new Zend_Filter_StripTags($allowed_tags, $allowed_attributes);

$post = $html_filter->filter($this->_request->getPost('post'));

For a test case I've been using the same string, this is what's going in

<p><span style="background-color: #333399; color: #ff9900; text-decoration: underline;"><em><strong>This is a test</strong></em></span></p>

<p><span style="background-color: #333399; color: #ff9900;"><strong><em><sub><span style="background-color: #ffffff;"><span style="color: #000000;">asdf</span></span></sub></em></strong></span></p>

<p><span style="background-color: #333399; color: #ff9900;"><strong><em><span style="background-color: #ffffff;"><span style="color: #000000;"><sup>asdf</sup></span></span></em></strong></span></p>

<p><span style="background-color: #333399; color: #ff9900;"><strong><em><span style="background-color: #ffffff;"><span style="color: #000000;"><img title="Cool" src="../../../public/scripts/tinymce/plugins/emotions/img/smiley-cool.gif" border="0" alt="Cool" />asdf</span></span></em></strong></span></p>

<ul>

<li><span style="background-color: #333399; color: #ff9900;"><strong><em><span style="background-color: #ffffff;"><span style="color: #000000;">sadf</span></span></em></strong></span></li>

</ul>

<ol>

<li><span style="background-color: #333399; color: #ff9900;"><strong><em><span style="background-color: #ffffff;"><span style="color: #000000;">asdf</span></span></em></strong></span></li>

</ol>

This is what comes out

This is a test

asdf

asdf

asdf

sadf

asdf

---

Alternatively, perhaps there's something else wrong, as I just tried this:

$post = strip_tags($this->_request->getPost('elm1'), '<img><object><param><embed><a><href><p><br><em><strong><li><ol><span>');

And it stripped out everything as well. Perhaps there is a setting in PHP that I'm missing?

Answer 1

According to the API Doc for the StripTag Filter, the constructor signature is

void   __construct  ([string|array|Zend_Config $options = null]) 

So it should work with this (updated):

$html_filter = new Zend_Filter_StripTags(array(
  'allowTags' => $allowed_tags, 
  'allowAttribs' => $allowed_attributes
));

In earlier versions of Zend Framework (1.8.4) you had to do

$html_filter = new Zend_Filter_StripTags($allowed_tags, $allowed_attributes);

All versions should support:

$html_filter = new Zend_Filter_StripTags;
$html_filter->setAttributesAllowed($allowed_attributes);
$html_filter->setTagsAllowed($allowed_tags);

Internally, StripTags works with str_replace and preg_replace. So even if someone added strip_tags() to the list of disallowed functions in your php.ini, the filter should work.

I've tried with your example code and it worked.