Stdlib: strip_tags() — allowed-tags subset for HTML sanitization

[PurHur]

Problem

MiniWebApp templates (#67, #246) and comment fields need a simple way to strip HTML while keeping a whitelist of tags. Today only htmlspecialchars() is reliable in AOT (#124); apps often call strip_tags($html, '<p><br>') on Zend.

Goal

Implement strip_tags(string $str, ?string $allowed_tags = null) in VM with a documented subset (no full HTML5 parser). JIT/AOT parity optional for v1 if tracked as follow-up.

Scope

• VM builtin in ext/standard/ (or existing string module)
• Default: strip all tags; optional allow-list like '<p><a><br>'
• PHPT: basic tags removed, allowed tags preserved, malformed input does not crash
• Update docs/capabilities.md via script/capability-matrix.php
• Register in UnsupportedRegistry until implemented (if lint hits call sites)

Acceptance criteria

docker run --rm -v "$(pwd):/compiler" -w /compiler php-compiler:22.04-dev \
  php bin/vm.php -r 'echo strip_tags("<b>x</b><i>y</i>", "<b>");'

Prints xy (or documented equivalent).

Verification (local / Docker only)

./script/ci-local.sh --filter strip_tags

No GitHub Actions required.

Dependencies

• Pairs with JIT: htmlspecialchars() native fast path (ENT_QUOTES, UTF-8) #124 htmlspecialchars (escape vs strip)
• Unblocks richer Reference: MiniWebApp lint-first skeleton (examples/003-MiniWebApp) #246 / Reference app: examples/003-MiniWebApp (router, templates, forms) #67 templates

Links

• docs/capabilities.md, 🗺️ ROADMAP: Compile a small PHP web application (living document) #78 ROADMAP Phase 4
• Examples: 004-ApiJson — minimal JSON API endpoint (lint-first) #270 ApiJson (may use htmlspecialchars only; strip_tags for CMS-style fields)