Bug #62032 [Com]: filter_var incorrectly strips characters from strings after "<"

[aleksey dot v dot korzun at gmail dot com]

Edit report at https://bugs.php.net/bug.php?id=62032&edit=1

 ID:                 62032
 Comment by:         aleksey dot v dot korzun at gmail dot com
 Reported by:        iamcraigcampbell at gmail dot com
 Summary:            filter_var incorrectly strips characters from
                     strings after "<"
 Status:             Open
 Type:               Bug
 Package:            Filter related
 Operating System:   Mac OS X
 PHP Version:        5.4.3
 Block user comment: N
 Private report:     N

 New Comment:

How is stripping anything after < with a space is a valid operation? That seems 
like a lazy man's html stripper.

Let's just blindly strip everything that can possibly be made into an html tag 
of 
any sort. Not.


Previous Comments:
------------------------------------------------------------------------
[2012-05-15 14:49:02] paj...@php.net

> or < should be encoded then, see 

http://www.php.net/manual/en/filter.filters.sanitize.php

btw, any option should be added using the option array or defaults, as it is 
the 
case already.

------------------------------------------------------------------------
[2012-05-15 14:45:27] iamcraigcampbell at gmail dot com

So in that case I think strip_tags and filter_var are both broken.  In this 
context: 
"It is true that 5<10"
"It is true that 5 < 10"  

Neither of these are html tags so the string should not be touched regardless 
of if 
there is a space or not.

------------------------------------------------------------------------
[2012-05-15 14:42:47] reeze dot xia at gmail dot com

PS: the reason why strip_tags() didn't strip it is '<' is followed by a
space char but not without ending '>', this is the key point.

look deep into the source code, there difference is switch whether or 
not to trait '<' followed by a(or more) spaces a tag or not.

------------------------------------------------------------------------
[2012-05-15 14:36:26] reeze dot xia at gmail dot com

strip_tags will strip it even without the ending '>' if  '<' followed by a
non-space char.

If we need to check whether is a closed tag it is a feature request to change 
it's 
behavior. it will break BC.

------------------------------------------------------------------------
[2012-05-15 14:26:52] iamcraigcampbell at gmail dot com

Well I can understand stripping it if there is a closing > somewhere, but if it 
is 
a < that is not followed by a matching > then it should be allowed in the 
string 
and not stripped.  I think strip_tags works as expected.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=62032


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62032&edit=1