|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2013-03-15 15:15 UTC] gdataonline at gmail dot com
Description: ------------ strip_tags() will clobber all remaining input after encountering non-HTML tags, regardless if embedded in "allowable-tags". When strip_tags() encounters a "<" followed by *any non-whitespace*, it assumes it's an HTML tag, even if it couldn't legally be one. In the example below, even something as simple as a "<=" appearing in JavaScript is enough to trigger the behavior. For a full list of characters that strip_tags() clobbers on, see this example: http://ideone.com/BEPINI Test script: --------------- <?php // Example 1: Without <= $code = "<script>if (foo >= bar){ alert(0); }</script>"; var_dump(strip_tags($code)); var_dump(strip_tags($code, "<script>")); // Example 2: With <= $code = "<script>if (foo <= bar){ alert(0); }</script>"; var_dump(strip_tags($code)); var_dump(strip_tags($code, "<script>")); ?> Expected result: ---------------- string(28) "if (foo >= bar){ alert(0); }" string(45) "<script>if (foo >= bar){ alert(0); }</script>" string(28) "if (foo <= bar){ alert(0); }" string(45) "<script>if (foo <= bar){ alert(0); }</script>" Actual result: -------------- string(28) "if (foo >= bar){ alert(0); }" string(45) "<script>if (foo >= bar){ alert(0); }</script>" string(8) "if (foo " string(16) "<script>if (foo " PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Mar 12 04:01:30 2025 UTC |
I'm having the same problem. Test script: --------------- <?php var_dump(strip_tags('This is not HTML, <email@email.com> is not a valid tag')); Expected result: ---------------- string(54) "This is not HTML, <email@email.com> is not a valid tag" Actual result: -------------- string(37) "This is not HTML, is not a valid tag"