|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53755 FILTER_SANITIZE_STRING truncates string with unmatched <
Submitted: 2011-01-15 01:40 UTC Modified: 2011-01-18 14:02 UTC
From: pgarvin76 at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.3.5 OS: Ubuntu/Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: pgarvin76 at gmail dot com
New email:
PHP Version: OS:


 [2011-01-15 01:40 UTC] pgarvin76 at gmail dot com
If a string containing an unmatched "<" character is run through the FILTER_SANITIZE_STRING filter the string is truncated at the <.

The problem seems to stem from the last parameter in the call to php_strip_tags_ex(). That parameter tells php_strip_tags_ex() ignore spaces trailing "<" characters. I checked how php_strip_tags_ex() is called in the PHP function strip_tags() and it tells php_strip_tags_ex to allow spaced after a "<".

See ext/filter/santitizing_filters.c line 203 and ext/standard/string.c line 4023 in PHP 5.3.5.

Test script:
echo filter_var('four is < 6', FILTER_SANITIZE_STRING);

Expected result:
four is < 6

Actual result:
four is 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-15 01:50 UTC] pgarvin76 at gmail dot com
The bugtracker would let me upload my diff so I created a Gist for it on Github.
I tested this solves the problem on 5.3.5.

Also here is a PHPT test for the bug.
 [2011-01-17 14:39 UTC]
The fix is not correct, since it would not change the fact that "four is <6" would 
return "four is "
 [2011-01-18 14:02 UTC]
-Status: Open +Status: Bogus
 [2011-01-18 14:02 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 13 16:01:31 2024 UTC