php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74371 strip_tags altering attributes
Submitted: 2017-04-04 18:41 UTC Modified: 2017-08-12 01:04 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: php-bugs at aspectis dot net Assigned:
Status: Verified Package: *General Issues
PHP Version: 7.1.3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php-bugs at aspectis dot net
New email:
PHP Version: OS:

 

 [2017-04-04 18:41 UTC] php-bugs at aspectis dot net 
Description:
------------
The manual claims that strip_tags "does not modify any attributes on the tags that you allow" (http://www.php.net/function.strip-tags), which unfortunately isn't quite true:

The characters "<" and ">" get stripped from all attribute values.

All versions at least from 5.4 seem to be affected.

Test script:
---------------
echo strip_tags('<img src="example.jpg" alt=":> :<">', '<img>');


Expected result:
----------------
<img src="example.jpg" alt=":> :<">

Actual result:
--------------
<img src="example.jpg" alt=": :">

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-04 19:45 UTC] spam2 at rhsoft dot net 
your source code is just plain wrong when it contains < or > because these chars needs to be encoded as entities and the whole purpose of strip_tags() is to FIX such issues to PREVENT that your tag itself get closed by unencoded value
 [2017-04-04 19:56 UTC] php-bugs at aspectis dot net 
This may be true for XHTML, but in HTML 4 and 5 "<" and ">" are perfectly valid characters for attribute values.
 [2017-04-04 20:28 UTC] spam2 at rhsoft dot net 
you don't get it - the whole purpose of strip_tags is to get rid auf dangerous chars like < and >
 [2017-08-12 01:04 UTC] ajf@php.net
-Status: Open +Status: Verified
 [2017-08-12 01:04 UTC] ajf@php.net 
Looks like a real bug to me.

One solution might be to round-trip it through an HTML parser (say, DOMDocument) first.
 [2020-12-03 22:46 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fixed bug #74371 strip_tags altering attributes
On GitHub:  https://github.com/php/php-src/pull/3570
Patch:      https://github.com/php/php-src/pull/3570.patch
 [2020-12-30 22:12 UTC] cmb@php.net 
Related To: Bug #80565
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Nov 25 22:01:31 2024 UTC