Strip all tags from an HTML fragment except selected tags and their attributes.

strip-tags.php

<?php

/*
 * Strip all tags from an HTML fragment except selected tags and their attributes.
 *
 * $content  = 'Hello world. <script>alert("XSS");</script>';
 * $content .= But you can still click on this <a href="http://gog.gl" onclick="alert(\'XSS\')">link</a>';
 *
 * cleanHtml($content, $whitelist = ['a' => ['href']])
 *
 * > Hello world. But you can still click on this <a href="http://gog.gl">link</a>
 */

protected function stripTags($html, $whitelist = [])
{
    // <p></p> must be allowed as it's used to wrap 
    // content that has no wrapper.
    $whitelist = array_merge($whitelist, ['p' => []]);    

    $dom = new DOMDocument;    

    $dom->loadHTML($html, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);

    $xpath = new DOMXPath($dom);

    // Remove all but the white-listed tags.
    $tags = array_keys($whitelist);

    // Get all elements within the HTML.
    $nodes = $xpath->query('//*');

    foreach ($nodes as $node) {
        if (!in_array($node->tagName, $tags)) {
            $node->parentNode->removeChild($node);
        }
    }

    // Remove the non-specified attributes in for the remaining white-listed tags.
    $nodes = $xpath->query('//@*');

    foreach ($nodes as $node) {             
        $allowedAttributes = $whitelist[$node->parentNode->tagName];

        if (!in_array($node->nodeName, $allowedAttributes)) {
            $node->parentNode->removeAttribute($node->nodeName);
        }
    }

    return $dom->saveHTML();    
}