PHP strip_tags（）：从某个域中除图像以外的所有图像都剥离？

Question

I would like to know if it is possible to strip ALL tags from a form the user has submitted, apart from tags from a certain domain.

I have a form which is mostly an "About Me" field where the user can share some information about himself/herself. I am currently stripping and securing the data for a MySQL insert using this:

$data = trim(htmlentities(strip_tags((string)$_POST['f_ab_me'])));
$data = mysqli_real_escape_string($db, $data);

Now I know strip_tags allows the possibility of allowing specific tags by using:

strip_tags($data, 'img');

But can I somehow tell it to NOT remove IMG tags that have the attribute "source" from " http://i.imgur.com/ ....." for example?

I do not want to allow the user to upload pictures on my server since I do not want to have to use that much bandwidth, but I would like to give them the option to still add images from imgur.com (which strips EXIF information automatically). What I also do not what to do is have a ton of input-boxes where the user can enter a link in each one, that just wouldn't look very nice in my opinion.

This is why i am asking if it is possible to somehow control it programmatically, maybe with a regular expression?

Thank you very much for your time.

Answer 1

Actually, using strip_tags function is not a right way, cause if your user wanna write anything that looks like HTML you just cut it off. Not so friendly, huh? :)

Using htmlentities would be enough to avoid HTML injections in user-entered content.

As of your question you can do next:

1. Using Regexp replace all i.imgur.com/* images to something like [IMG=*]
2. Then apply htmlentities to user content.
3. When rendering content just use Regexp again to turn your [IMG=*] code back to img tag.

I'm not very familiar with Regexp but there is working pattern I wrote:

echo preg_replace("#<img (.*?)src=(\"|\')http(s)?://i.imgur.com(.*?)(\"|\')#U", "[IMG=http://i.imgur.com$4]", $content);