PHP :: Bug #17099 :: strip_tags() not just stripping out HTML-tags

Bug #17099	strip_tags() not just stripping out HTML-tags
Submitted:	2002-05-08 10:50 UTC	Modified:	2002-05-08 11:52 UTC
From:	yves at fuifbeest dot com	Assigned:
Status:	Not a bug	Package:	Strings related
PHP Version:	4.2.0	OS:	Unix/Apache
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yves at fuifbeest dot com
New email:
PHP Version:		OS:

New Comment:

[2002-05-08 10:50 UTC] yves at fuifbeest dot com

I've made a PHP-based forum and some of the users found out that if they were putting text between < or > (HTML &lt; and &gt; ), this text was lost...

Browsing through the source-code and a little tests later, I found out it was strip_tags() causing the problem...
strip_tags() is described as "stripping out all HTML- and PHP-tags", so I thought this was a nice way to prevent users from making some sort of childish color-book with images, color-text, etc. in between of the serious posts...

Now it appears that strip_tags() strips out ANYTHING in an string between < and > (the hTML fishing-hooks, sorry for mentioning all the time, but I don't if you're seeing them), so that's rather inconvenient I thought...

Wouldn't it be possible that PHP has an internal list of all HTML-tags (maybe it has already) and that it should just stripout what a web-browser would interpret as a HTML-tag?

Ex.: <?php echo strip_tags("blabla < yieha > blabla"); ?>
This will return "blabla  blabla"...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-08 11:52 UTC] jimw@php.net

this is intentional. strip_tags requires the caller to declare what tags to keep, regardless of whether they are valid html or not. if you just want to get rid of angle brackets, you can use str_replace() or use htmlentities() to preserve them, but prevent them from being interpreted as html tag delimiters.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 01:01:28 2024 UTC