PHP :: Bug #10362 :: strip_tags() strips round brackets inside allowed html tags

Bug #10362	strip_tags() strips round brackets inside allowed html tags
Submitted:	2001-04-17 12:02 UTC	Modified:	2012-05-24 10:03 UTC
From:	jo at feuersee dot de	Assigned:	johannes (profile)
Status:	Closed	Package:	Unknown/Other Function
PHP Version:	4.0.4pl1	OS:	Linux 2.4.3
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2001-04-17 12:02 UTC] jo at feuersee dot de

When using strip_tags() with the optional conversion 
param, it still strips round brackets "()" from the input 
string.
Example:
<?php
$allowed = "<a>";
$tag = "<a href=\"$PHP_SELF\" "; 
$tag .= "onClick=\"alert('Hello')\">click</a>";
printf("%s", strip_tags($tag, $allowed));
?>
results in
<a href="whatever.php" onCLick="alert'Hello'">click</a>
missing brackets---------------------^-----^

and leaves the <a> Tag unuseable.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-04-28 19:13 UTC] elixer@php.net

Fixed in CVS.  It will be part of PHP4.0.6 when it is released.

[2012-05-24 10:03 UTC] johannes@php.net

-Assigned To: +Assigned To: johannes -Block user comment: No +Block user comment: Yes

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 12:01:31 2024 UTC