Bug #62032 [Opn]: filter_var incorrectly strips characters from strings after "<"

[pajoye]

Edit report at https://bugs.php.net/bug.php?id=62032&edit=1

 ID:                 62032
 Updated by:         paj...@php.net
 Reported by:        iamcraigcampbell at gmail dot com
 Summary:            filter_var incorrectly strips characters from
                     strings after "<"
 Status:             Open
 Type:               Bug
 Package:            Filter related
 Operating System:   Mac OS X
 PHP Version:        5.4.3
 Block user comment: N
 Private report:     N

 New Comment:

> or < should be encoded then, see 

http://www.php.net/manual/en/filter.filters.sanitize.php

btw, any option should be added using the option array or defaults, as it is 
the 
case already.


Previous Comments:
------------------------------------------------------------------------
[2012-05-15 14:45:27] iamcraigcampbell at gmail dot com

So in that case I think strip_tags and filter_var are both broken.  In this 
context: 
"It is true that 5<10"
"It is true that 5 < 10"  

Neither of these are html tags so the string should not be touched regardless 
of if 
there is a space or not.

------------------------------------------------------------------------
[2012-05-15 14:42:47] reeze dot xia at gmail dot com

PS: the reason why strip_tags() didn't strip it is '<' is followed by a
space char but not without ending '>', this is the key point.

look deep into the source code, there difference is switch whether or 
not to trait '<' followed by a(or more) spaces a tag or not.

------------------------------------------------------------------------
[2012-05-15 14:36:26] reeze dot xia at gmail dot com

strip_tags will strip it even without the ending '>' if  '<' followed by a
non-space char.

If we need to check whether is a closed tag it is a feature request to change 
it's 
behavior. it will break BC.

------------------------------------------------------------------------
[2012-05-15 14:26:52] iamcraigcampbell at gmail dot com

Well I can understand stripping it if there is a closing > somewhere, but if it 
is 
a < that is not followed by a matching > then it should be allowed in the 
string 
and not stripped.  I think strip_tags works as expected.

------------------------------------------------------------------------
[2012-05-15 14:24:14] reeze dot xia at gmail dot com

Hi, 
  I think it's a document problem. you could refer this commit: 
http://svn.php.net/viewvc?view=revision&revision=225196

strip_tags() didn't allow space after < so strip_tags didn't trait it as a 
invalid
tag so it didn't get striped.

filter_var allow space after < so,  it striped everything after <.


I think we could add an extra paramater to strip_tags() allow space after <
and document it eg:

string strip_tags(string str [, string allowable_tags = null [, bool 
allow_tag_spaces = false]])

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=62032


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62032&edit=1