phpdave/EmailValueObjectExample.php

## EmailValueObjectExample.php
<?
class EmailValue
{
  protected $value;
  public function __construct($emailAddress)
  {
    //sanitize for DB (NULL bytes, HTML and PHP tags stripped)
    $emailAddress = strip_tags($emailAddress);
    //Supposedly does more than strip tags
    $emailAddress = xss_clean($emailAddress);
    if (!filter_var($address, FILTER_VALIDATE_EMAIL)) {
        throw new InvalidArgumentException(sprintf('"%s" is not a valid email', $address));
    }
    $this->value = $emailAddress;
  }
  public function __toString()
  {
    return $this->address;
  }

  public function equals(EmailAddress $address)
  {
    return strtolower((string) $this) === strtolower((string) $address);
  }
}

try
{
  $email = new EmailValue($_POST['Email']);
}
catch
{
  //tell user they entered an invalid email
}

## xss_clean.php
<?
//http://stackoverflow.com/questions/1336776/xss-filtering-function-in-php
function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
	// Remove really unwanted tags
	$old_data = $data;
	$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}
	<?
	class EmailValue
	{
	protected $value;
	public function __construct($emailAddress)
	{
	//sanitize for DB (NULL bytes, HTML and PHP tags stripped)
	$emailAddress = strip_tags($emailAddress);
	//Supposedly does more than strip tags
	$emailAddress = xss_clean($emailAddress);
	if (!filter_var($address, FILTER_VALIDATE_EMAIL)) {
	throw new InvalidArgumentException(sprintf('"%s" is not a valid email', $address));
	}
	$this->value = $emailAddress;
	}
	public function __toString()
	{
	return $this->address;
	}

	public function equals(EmailAddress $address)
	{
	return strtolower((string) $this) === strtolower((string) $address);
	}
	}

	try
	{
	$email = new EmailValue($_POST['Email']);
	}
	catch
	{
	//tell user they entered an invalid email
	}
	<?
	//http://stackoverflow.com/questions/1336776/xss-filtering-function-in-php
	function xss_clean($data)
	{
	// Fix &entity\n;
	$data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data);
	$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
	$data = preg_replace('/(&#x[0-9A-F]+);/iu', '$1;', $data);
	$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

	// Remove any attribute starting with "on" or xmlns
	$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on\|xmlns)[^>]*+>#iu', '$1>', $data);

	// Remove javascript: and vbscript: protocols
	$data = preg_replace('#([a-z])[\x00-\x20]=[\x00-\x20]([`\'"])[\x00-\x20]j[\x00-\x20]a[\x00-\x20]v[\x00-\x20]a[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
	$data = preg_replace('#([a-z])[\x00-\x20]=([\'"])[\x00-\x20]v[\x00-\x20]b[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:#iu', '$1=$2novbscript...', $data);
	$data = preg_replace('#([a-z])[\x00-\x20]=([\'"])[\x00-\x20]-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

	// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
	$data = preg_replace('#(<[^>]+?)style[\x00-\x20]=[\x00-\x20][`\'"].?expression[\x00-\x20]\([^>]+>#i', '$1>', $data);
	$data = preg_replace('#(<[^>]+?)style[\x00-\x20]=[\x00-\x20][`\'"].?behaviour[\x00-\x20]\([^>]+>#i', '$1>', $data);
	$data = preg_replace('#(<[^>]+?)style[\x00-\x20]=[\x00-\x20][`\'"].?s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:[^>]+>#iu', '$1>', $data);

	// Remove namespaced elements (we do not need them)
	$data = preg_replace('#</\w+:\w[^>]+>#i', '', $data);

	do
	{
	// Remove really unwanted tags
	$old_data = $data;
	$data = preg_replace('#</(?:applet\|b(?:ase\|gsound\|link)\|embed\|frame(?:set)?\|i(?:frame\|layer)\|l(?:ayer\|ink)\|meta\|object\|s(?:cript\|tyle)\|title\|xml)[^>]+>#i', '', $data);
	}
	while ($old_data !== $data);

	// we are done...
	return $data;
	}