I’ve seen this question asked a few times on stackoverflow, with no resoundingly wonderful

Question 1

I’ve seen this question asked a few times on stackoverflow, with no resoundingly wonderful answer.
The answer always seems to be “don’t use regex,” without any examples of a better alternative.

For my purposes this will not be done for validation, but after the fact stripping.

I need to strip out all script tags including any content that may be between them.

Any suggestions on the best REGEX way to do this?

EDIT: PREEMPTIVE RESPONSE: I can’t use HTML Purifier nor the DOMXPath feature of PHP.

Question 2

The reason REGEX for HTML is considered evil, is because it can (usually) easily be broken, forcing you to repeatedly rethink your pattern. If for instance you’re matching

<script>.+</script>

It could be broken easily with

<script type="text/javascript">

If you use

<script.+/script>

It can also be easily broken with

< script>...

There’s no end for this. If you can’t use any of the methods you’ve stated, you could try strip_tags, but it takes a whitelist as a parameter, not a blacklist, meaning you’ll need to manually allow every single tag you want to allow.

If all else fail, you could resort to RegEx, what I came up with is this

<\s*script.*/script>

But I bet someone around here could probably come and break that too.

Editorial Team · Answer 1 · 2026-05-31T21:22:55+00:00

The reason REGEX for HTML is considered evil, is because it can (usually) easily be broken, forcing you to repeatedly rethink your pattern. If for instance you’re matching

<script>.+</script>

It could be broken easily with

<script type="text/javascript">

If you use

<script.+/script>

It can also be easily broken with

< script>...

There’s no end for this. If you can’t use any of the methods you’ve stated, you could try strip_tags, but it takes a whitelist as a parameter, not a blacklist, meaning you’ll need to manually allow every single tag you want to allow.

If all else fail, you could resort to RegEx, what I came up with is this

<\s*script.*/script>

But I bet someone around here could probably come and break that too.

Editorial Team
2026-05-31T21:22:55+00:00Added an answer on May 31, 2026 at 9:22 pm

The reason REGEX for HTML is considered evil, is because it can (usually) easily be broken, forcing you to repeatedly rethink your pattern. If for instance you’re matching

<script>.+</script>

It could be broken easily with

<script type="text/javascript">

If you use

<script.+/script>

It can also be easily broken with

< script>...

There’s no end for this. If you can’t use any of the methods you’ve stated, you could try strip_tags, but it takes a whitelist as a parameter, not a blacklist, meaning you’ll need to manually allow every single tag you want to allow.

If all else fail, you could resort to RegEx, what I came up with is this

<\s*script.*/script>

But I bet someone around here could probably come and break that too.

0

Reply

Share
Share

Share on Facebook

Share on Twitter

Share on LinkedIn

Share on WhatsApp

Report — Editorial Team, 2026-05-31T21:22:55+00:00Added an answer on May 31, 2026 at 9:22 pm

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’ve seen this question asked a few times on stackoverflow, with no resoundingly wonderful

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply