$re = '/<([^>]+)>([^<]*)<\/\1>/m';
$str = '<FindingDbId>D9327888CC8545948C8D62D4FF515BDE</FindingDbId>
<Description><![CDATA[<p>A backup file was discovered. Binary archives or application files with an alternate file extension may expose source code and application logic to an attacker. If a script\'s file extension does not match an application extension (such as .asp, .jsp, or .php), then the server usually considers the file equivalent to plain text. When this happens, the server presents the user with the raw source code of the file instead of executing the script and providing interpreted output.<br/>Depending on the content of the script file, the exposure of data varies between simple function calls to database connection credentials to administration passwords.</p><br/>File archives such as .tgz, .tar.gz, or .zip files should never be stored within the web application\'s document root. If these files contain an archive of the application\'s source code, then it will be trivial for an attacker to download and examine the code.]]></Description>
<Recommendation><![CDATA[<p><ul><li>Remove all backup files, binary archives, alternate versions of files, and test files from the web document root of production servers.</li><li>Amend your deployment policy to include the removal of these file types by an administrator.</li></ul></p>]]></Recommendation>
';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php