php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73823 filter_var() cuts at < char
Submitted: 2016-12-27 15:48 UTC Modified: 2016-12-27 23:50 UTC
From: spam2 at rhsoft dot net Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: spam2 at rhsoft dot net
New email:
PHP Version: OS:

 

 [2016-12-27 15:48 UTC] spam2 at rhsoft dot net 
Description:
------------
te[harry@srv-rhsoft:~]$ php -r "echo filter_var('te<st', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);"
te

[harry@srv-rhsoft:~]$ php -r "echo filter_var('te<st>x', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);"
tex


is this a joke?

besides that FILTER_FLAG_STRIP_LOW is not usebale for values from a texteraea without replace linbreaks before with something else and restore it after filter it's a nogo to cut the whole input before a < sign

given the second example this looks like a lousy try of html filtering

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-27 23:17 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2016-12-27 23:17 UTC] cmb@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is not related to FILTER_FLAG_STRIP_LOW[1], but rather
FILTER_SANITIZE_STRING is supposed to strip tags.

[1] <https://3v4l.org/dLPn6>
[2] <http://php.net/manual/en/filter.filters.sanitize.php>
[3] <http://php.net/manual/en/function.strip-tags.php>
 [2016-12-27 23:38 UTC] spam2 at rhsoft dot net 
are you kidding me?

a SINGLE < inside a string is NOT a tag and no justification to cut the whole input there - it makes the filter unuseable in real life
 [2016-12-27 23:50 UTC] cmb@php.net 
> a SINGLE < inside a string is NOT a tag and no justification to
> cut the whole input there - it makes the filter unuseable in
> real life

Well, it's supposed to work exactly like strip_tags()[1], so if
anything should be changed, strip_tags() should be changed as well
(what would probably require an RFC[2]).

[1] <https://3v4l.org/dLPn6>
[2] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 07:00:01 2025 UTC