PHP :: Bug #63212 :: <' breaks strip

Bug #63212

<' breaks strip_tags()

Submitted:

2012-10-03 22:08 UTC

Modified:

2021-08-30 16:29 UTC

Votes:	3
Avg. Score:	4.3 ± 0.9
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	1 (50.0%)

From:

dac dot chartrand at gmail dot com

Assigned:

cmb (profile)

Status:

Not a bug

Package:

Strings related

PHP Version:

5.4.7

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2012-10-03 22:08 UTC] dac dot chartrand at gmail dot com

Description:
------------
The following character combo <' breaks strip_tags(): 

<'



Test script:
---------------
<?php

$content = "<strong>Hello World</strong><fake>Should be removed</fake><h1>Goodbye World</h1>";
$content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong><em><pre><img><a><h1><h2><h3><h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table><thead><tbody><tfoot><tr><td><th>');
echo $content;

// Good
// <strong>Hello World</strong>Should be removed<h1>Goodbye World</h1>



$content = "<strong>Hello World</strong><fake>Should <' be removed</fake><h1>Goodbye World</h1>";
$content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong><em><pre><img><a><h1><h2><h3><h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table><thead><tbody><tfoot><tr><td><th>');
echo $content;

// Bad
// <strong>Hello World</strong>Should

Expected result:
----------------
<strong>Hello World</strong>Should be removed<h1>Goodbye World</h1>

Actual result:
--------------
<strong>Hello World</strong>Should

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-10-03 23:34 UTC] pierrick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Hi Daniel,

I don't think this is a bug. You're opening a tag which is not terminated. So 
strip_tags will strip it.

If you replace your <' by any other char (but space) like <a you'll have the 
same behavior.

[2012-10-03 23:34 UTC] pierrick@php.net

-Status: Open +Status: Not a bug

[2012-10-04 01:56 UTC] dac dot chartrand at gmail dot com

Hi Pierrick

I disagree. Maybe my report needs more info. Here are two other examples:

-=-=-

$content = "<strong>Hello World</strong><fake>Should <# > be removed</fake>
<h1>Goodbye World</h1>";
$content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong>
<em><pre><img><a><h1><h2><h3>
<h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table>
<thead><tbody><tfoot><tr><td>
<th>');
echo $content; 

// <strong>Hello World</strong>Should  be removed<h1>Goodbye World</h1>

$content = "<strong>Hello World</strong><fake>Should <' > be removed</fake>
<h1>Goodbye World</h1>";
$content = strip_tags($content, '<del><ins><p><div><span><hr><br><cite><strong>
<em><pre><img><a><h1><h2><h3>
<h4><h5><h6><dl><dt><dd><ul><li><ol><sub><sup><tt><blockquote><aside><table>
<thead><tbody><tfoot><tr><td>
<th>');
echo $content; 

// <strong>Hello World</strong>Should 

-=-=-

Thanks for looking into this.

[2012-10-04 02:16 UTC] pierrick@php.net

-Status: Not a bug +Status: Open

[2012-10-04 02:16 UTC] pierrick@php.net

Hi Daniel,

You're right, the ' is actually opening a quote which is never closed. But in a 
valid html/xml, having something like this : <'foo'> is now allowed. We could 
maybe verify that the node have a name before accepting an opening quote.

[2012-10-04 17:44 UTC] riptide dot tempora at opinehub dot com

"Expected result:
----------------
<strong>Hello World</strong>Should be removed<h1>Goodbye World</h1>

Actual result:
--------------
<strong>Hello World</strong>Should"

Shouldn't that <strong>(.*)</strong> be eliminated to? :\

[2012-10-10 21:36 UTC] willfitch@php.net

@riptide - no. <strong> is in the list of allowable tags.

I'll look into this one this evening.

[2018-03-10 13:47 UTC] cmb@php.net

-Package: *General Issues +Package: Strings related

[2021-08-30 16:29 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2021-08-30 16:29 UTC] cmb@php.net

strip_tags() is a crude tool, and it rather errs on the side of
caution, i.e. it may remove more than necessary.  That is even
documented[1]:

| Because strip_tags() does not actually validate the HTML,
| partial or broken tags can result in the removal of more text/data
| than expected.

So the reported behavior is not a bug.

Personally, I suggest to only use strip_tags() on valid HTML, or
better to not use the function at all.

[1] <https://www.php.net/strip_tags>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Nov 25 20:01:28 2024 UTC