php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12120 Several following < characters ignored by striptags()
Submitted: 2001-07-12 20:32 UTC Modified: 2002-09-20 06:52 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: michel at eevolved dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 4.3.0CVS OS: Linux Mandrake
Private report: No CVE-ID:
 [2001-07-12 20:32 UTC] michel at eevolved dot com
$foo = strip_tags("< < <b>hello</b>", "<b>");
echo $foo; // prints "<  b>hello" with a hidden "</b>"

strip_tags(), in this case, returns the string it was 
supplied, but omits the second and third '<' character. In 
a regular browser, it would display the 3 '<' characters, 
seperated by spaces: "< < <" (equivalent to "&lt; &lt; 
&lt;") followed by a bold hello. Yet since PHP probably 
raises a flag after the first "<", all subsequent "<" 
characters are ignored until the next ">".

To resume:
Source witSource without strip_tags: "< < <b>hello</b>"
Source with strip_tags: "<  b>hello</b>"
hout strip_tags: "< < <b>hello</b>"
Source with strip_tags: "<  b>hello</b>"

I would also like to point out:

$foo = strip_tags("< < < >hello</b>", "<b>");
echo $foo;

Source without strip_tags: "< < < >hello</b>"
Source with strip_tags: "hello</b>"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-12 21:54 UTC] michel at eevolved dot com
$foo = strip_tags("< < <b>hello</b>", "<b>");
echo $foo; // prints "<  b>hello" with a hidden "</b>"

strip_tags(), in this case, returns the string it was 
supplied, but omits the second and third '<' character. In 
a regular browser, it would display the 3 '<' characters, 
seperated by spaces: "< < <" (equivalent to "&lt; &lt; 
&lt;") followed by a bold hello. Yet since PHP probably 
raises a flag after the first "<", all subsequent "<" 
characters are ignored until the next ">".

To resume:
Source witSource without strip_tags: "< < <b>hello</b>"
Source with strip_tags: "<  b>hello</b>"

I would also like to point out:

$foo = strip_tags("< < < >hello</b>", "<b>");
echo $foo;

Source without strip_tags: "< < < >hello</b>"
Source with strip_tags: "hello</b>"

 [2001-08-19 05:00 UTC] sniper@php.net
Does this happen with PHP 4.0.6?

 [2001-08-19 13:31 UTC] michel at eevolved dot com
I did not try with the newest release, and unfortunatly 
cannot currently test more with any version (different 
computer, not suitable for PHP.)

Sorry I could not help.

Do note, though, that I have been to many, many sites who 
use PHP, to look into what their solution is to 
striptags(), and all the sites seem to use a custom 
function. Obviously, I am not the only one to have this 
problem (again, as far as 4.0.4pl1 is concerned.)

 [2002-01-22 07:31 UTC] martin at humany dot com
I reproduced the problem in PHP 4.1.1, using the same code:

$foo = strip_tags("< < <b>hello</b>", "<b>");
echo $foo; // prints "<  b>hello" with a hidden "</b>"

Tested on Windows XP and Linux 2.4
 [2002-09-20 06:52 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC