php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66111 strip_tags strip <=
Submitted: 2013-11-18 08:33 UTC Modified: 2013-11-20 15:50 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: 22rist at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.5Git-2013-11-18 (Git) OS: windows 7 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: 22rist at gmail dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2013-11-18 08:33 UTC] 22rist at gmail dot com
Description:
------------
Very hard to explain copywriter, that he should not use "<=" in his text for security purposes.

Test script:
---------------
$text = "Mileage <= 15000";
print_r(strip_tags($text));
//print: Mileage

Expected result:
----------------
Mileage <= 15000

Actual result:
--------------
Mileage

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-19 13:10 UTC] anon at anon dot anon
strip_tags converts HTML to plain text. If you're typing "Mileage <= 15000", that's not HTML, it's text, so strip_tags is the wrong function. Use htmlspecialchars.
 [2013-11-19 14:18 UTC] 22rist at gmail dot com
This text can be in comments. Some of this comments can be from user. There can be tags that I must strip.  But there can be "Mileage <= 15000" that I shouldn't streep. What should I do?
 [2013-11-20 12:12 UTC] anon at anon dot anon
>There can be tags that I must strip.

In other words, you're trying to make it a nuisance for anyone on the off chance they want to talk about HTML.

strip_tags is the wrong function. Use htmlspecialchars.
 [2013-11-20 12:23 UTC] 22rist at gmail dot com
In security reasons (to prevent XSS) I should strip all tags in user comments. It's not a developer blog and there wont be conversation about HTML. 
And your comment "they want to talk about HTML." is not related to the subject.
The subject is "The function strip_tags should strip tags and only tags".
 [2013-11-20 13:17 UTC] anon at anon dot anon
There's a very easy way to prevent XSS and allow "Mileage <= 15000". It's called htmlspecialchars.
 [2013-11-20 13:35 UTC] 22rist at gmail dot com
Ok, htmlspecilachars will prevent XSS. But I want to STRIP TAGS. 

I want to see 
"Please use google.com"
when user write
"<b>Please</b> use <a href="https://www.google.com">google.com</a>"
AND NOT an encoded variant of "<b>Please</b> use <a href="https://www.google.com">google.com</a>" as htmlspecilachars do.
 [2013-11-20 13:59 UTC] anon at anon dot anon
Why would someone write that?

Oh wait, you just did. Can you imagine how annoying it would be for you to type your comment if this bug page used strip_tags?
 [2013-11-20 14:18 UTC] 22rist at gmail dot com
The subject is "The function strip_tags should strip tags and only tags".
Not "How I use strip_tags". Or "how somebody filter comments". 
So if you can't write something related to the subject please do not spam.
 [2013-11-20 14:46 UTC] anon at anon dot anon
The subject is that you're misusing the function. strip_tags removes tags from HTML. This is not valid HTML:

    Mileage <= 15000

Now read the warning in the documentation: 

    Because strip_tags() does not actually validate the HTML, partial or
    broken tags can result in the removal of more text/data than expected.

I.e., garbage in = garbage out.
 [2013-11-20 14:54 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2013-11-20 14:54 UTC] johannes@php.net
Browsers are quite error tolerant in parsing HTML. strip_tags tries to be secure with the risk of breaking input. If you want to take data into HTML and want the browser to render it properly use htmlentities etc.
 [2013-11-20 15:02 UTC] 22rist at gmail dot com
I want to filter string writen by user
"<b>Best car ever!<b/> Mileage <= 15000"
so it looks like
"Best car ever! Mileage <= 15000";
I want to strip only tags. PHP can't do it using native functions?
 [2013-11-20 15:50 UTC] rasmus@php.net
-Block user comment: No +Block user comment: Yes
 [2013-11-20 15:50 UTC] rasmus@php.net
This is not a support forum. There is no bug here.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC