strings.stripTags() uses simple regex and is therefore unsafe

[botic]

There are a lot of references why the current regex is insufficient to strip tags from a string:

• http://stackoverflow.com/questions/5788527/is-strip-tags-vulnerable-to-scripting-attacks/5793453#5793453
• https://www.npmjs.com/package/striptags
• http://www.hinnerk-altenburg.de/weblog/strip-all-html-tags-with-perl-regular-expression-regexp-like-php-strip_tags-does/
• https://github.com/OWASP/java-html-sanitizer/

What to do about stripTags? I only see a chance to enhance it or to drop it and separate packages can do the job. IMHO the stripTags() approach is broken by design, since an application should normally escape the user input and not call strip tags, since a user might want to display for some reason.

As an alternative I suggest to port striptags to ringo/utils/strings. It's MIT-based license is compatible with Ringo's Apache License.

[botic]

Btw. the current unit test is ridiculous:

exports.testStripTags = function () {
    assert.strictEqual('content', strings.stripTags('<tag>content</tag>'));
};

[grob]

👍 for dropping stripTags.

[botic]

I think this can be done together with dropping unwrap() from #311, or?