Edit report at https://bugs.php.net/bug.php?id=63212&edit=1
ID: 63212 Comment by: willfi...@php.net Reported by: dac dot chartrand at gmail dot com Summary: <' breaks strip_tags() Status: Open Type: Bug Package: *General Issues PHP Version: 5.4.7 Block user comment: N Private report: N New Comment: @riptide - no. <strong> is in the list of allowable tags. I'll look into this one this evening. Previous Comments: ------------------------------------------------------------------------ [2012-10-04 17:44:38] riptide dot tempora at opinehub dot com "Expected result: ---------------- <strong>Hello World</strong>Should be removed<h1>Goodbye World</h1> Actual result: -------------- <strong>Hello World</strong>Should" Shouldn't that <strong>(.*)</strong> be eliminated to? :\ ------------------------------------------------------------------------ [2012-10-04 02:16:26] pierr...@php.net Hi Daniel, You're right, the ' is actually opening a quote which is never closed. But in a valid html/xml, having something like this : <'foo'> is now allowed. We could maybe verify that the node have a name before accepting an opening quote. ------------------------------------------------------------------------ [2012-10-04 01:56:16] dac dot chartrand at gmail dot com Hi Pierrick I disagree. Maybe my report needs more info. Here are two other examples: -=-=- $content = "<strong>Hello World</strong><fake>Should <# > be removed</fake> <h1>Goodbye World</h1>"; $content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong> <em><pre><img><a><h1><h2><h3> <h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table> <thead><tbody><tfoot><tr><td> <th>'); echo $content; // <strong>Hello World</strong>Should be removed<h1>Goodbye World</h1> $content = "<strong>Hello World</strong><fake>Should <' > be removed</fake> <h1>Goodbye World</h1>"; $content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong> <em><pre><img><a><h1><h2><h3> <h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table> <thead><tbody><tfoot><tr><td> <th>'); echo $content; // <strong>Hello World</strong>Should -=-=- Thanks for looking into this. ------------------------------------------------------------------------ [2012-10-03 23:34:14] pierr...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Hi Daniel, I don't think this is a bug. You're opening a tag which is not terminated. So strip_tags will strip it. If you replace your <' by any other char (but space) like <a you'll have the same behavior. ------------------------------------------------------------------------ [2012-10-03 22:08:54] dac dot chartrand at gmail dot com Description: ------------ The following character combo <' breaks strip_tags(): <' Test script: --------------- <?php $content = "<strong>Hello World</strong><fake>Should be removed</fake><h1>Goodbye World</h1>"; $content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong><em><pre><img><a><h1><h2><h3><h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table><thead><tbody><tfoot><tr><td><th>'); echo $content; // Good // <strong>Hello World</strong>Should be removed<h1>Goodbye World</h1> $content = "<strong>Hello World</strong><fake>Should <' be removed</fake><h1>Goodbye World</h1>"; $content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong><em><pre><img><a><h1><h2><h3><h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table><thead><tbody><tfoot><tr><td><th>'); echo $content; // Bad // <strong>Hello World</strong>Should Expected result: ---------------- <strong>Hello World</strong>Should be removed<h1>Goodbye World</h1> Actual result: -------------- <strong>Hello World</strong>Should ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=63212&edit=1
