Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
Like filter_xss_admin(), but with a shorter list of allowed tags.
Used for items entered by administrators, like field descriptions, allowed values, where some (mainly inline) mark-up may be desired (so drupal_htmlspecialchars() is not acceptable).
$string: The string with raw HTML in it.
An XSS safe version of $string, or an empty string if $string is not valid UTF-8.
function field_filter_xss($string) {
return filter_xss($string, _field_filter_xss_allowed_tags());
}