List of allowable tags on PHP's strip_tags()

Question

This is a typical example of how someone whould use the strip_tags() function.

<h1><?php echo htmlentities($post->title); ?></h1>

// post content here
<?php echo strip_tags($post->content); ?>

So, I've created an alias function for stripping tags, like this:

function strip($var) {
        $allowed = '<div><span><pre><p><br><hr><hgroup><h1><h2><h3><h4><h5><h6>
            <ul><ol><li><dl><dt><dd><strong><em><b><i><u>
            <img><a><abbr><address><blockquote><area><audio><video>
            <form><fieldset><label><input><textarea>
            <caption><table><tbody><td><tfoot><th><thead><tr>
            <iframe>';

        return strip_tags($var, $allowed);
    }

and use this instead:

<h1><?php echo htmlentities($post->title); ?></h1>

// post content here
<?php echo strip($post->content); ?>

My question is do I need to add more tags in the $allowed array, or remove some? Which other tags are considered 'not-evil' to add on the array?

Answer 1

If you are worried about XSS attacks than this is the best cheat sheet I ever use.

updated the link