go to bug id or search bugs for
The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits:
That's not so nice !
Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty.
I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary.
Thanks a lot
Add a Patch
Add a Pull Request
Oops - that should be
rewrote the summary. it would be nice if the syntax were something like: strip_tags($text, "a[href,target],br,p")