php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74371 strip_tags altering attributes
Submitted: 2017-04-04 18:41 UTC Modified: 2017-08-12 01:04 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: php-bugs at aspectis dot net Assigned:
Status: Verified Package: *General Issues
PHP Version: 7.1.3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: php-bugs at aspectis dot net
New email:
PHP Version: OS:

 

 [2017-04-04 18:41 UTC] php-bugs at aspectis dot net
Description:
------------
The manual claims that strip_tags "does not modify any attributes on the tags that you allow" (http://www.php.net/function.strip-tags), which unfortunately isn't quite true:

The characters "<" and ">" get stripped from all attribute values.

All versions at least from 5.4 seem to be affected.

Test script:
---------------
echo strip_tags('<img src="example.jpg" alt=":> :<">', '<img>');


Expected result:
----------------
<img src="example.jpg" alt=":> :<">

Actual result:
--------------
<img src="example.jpg" alt=": :">

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-04 19:45 UTC] spam2 at rhsoft dot net
your source code is just plain wrong when it contains < or > because these chars needs to be encoded as entities and the whole purpose of strip_tags() is to FIX such issues to PREVENT that your tag itself get closed by unencoded value
 [2017-04-04 19:56 UTC] php-bugs at aspectis dot net
This may be true for XHTML, but in HTML 4 and 5 "<" and ">" are perfectly valid characters for attribute values.
 [2017-04-04 20:28 UTC] spam2 at rhsoft dot net
you don't get it - the whole purpose of strip_tags is to get rid auf dangerous chars like < and >
 [2017-08-12 01:04 UTC] ajf@php.net
-Status: Open +Status: Verified
 [2017-08-12 01:04 UTC] ajf@php.net
Looks like a real bug to me.

One solution might be to round-trip it through an HTML parser (say, DOMDocument) first.
 [2020-12-03 22:46 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fixed bug #74371 strip_tags altering attributes
On GitHub:  https://github.com/php/php-src/pull/3570
Patch:      https://github.com/php/php-src/pull/3570.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 25 22:01:31 2024 UTC