|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56938 Text enclosed by angle brackets vanishes from post variables
Submitted: 2006-04-06 12:08 UTC Modified: 2006-04-06 12:50 UTC
From: msaladna at apisnetworks dot com Assigned:
Status: Not a bug Package: filter (PECL)
PHP Version: 5.1.2 OS: Linux, RHEL3
Private report: No CVE-ID: None
 [2006-04-06 12:08 UTC] msaladna at apisnetworks dot com
This actually happens with PHP 5.1.2 and the filter extension built into PHP's interpreter directly.

On a post, all data that is enclosed by <>, e.g. HTML tags, even the PHP delimiters <?php ... ?> are removed from the variable.  Thus "<foo>" becomes "", "<?php ... some code ... ?>" becomes "", "<foo>bar</foo>" becomes "bar", and so on.

I have a workaround temporarily to remedy the problem.  Add an onSubmit event to the form tag and change all occurrences of < in the field to &amp;lt; which appears to fix it.

Hopefully this should be independent of the PHP build options and php.ini settings.  If not, let me know and I can include that information as well.

Reproduce code:
if (isset($_POST['code'])) { var_export($_POST); }
<form method="post">
<textarea rows="40" cols="80" name="code" WRAP="OFF"></textarea>
<br />
<input type="submit" />

Enter something like, "<test>foo</test>" into the textarea

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-04-06 12:17 UTC]
Sorry, but your problem does not imply a bug in PECL itself.  For a
list of more appropriate places to ask for help using PECL, please
visit as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PECL.

This is not a bug, this is what filter is all about. I think you have set the default filter to strip_tags and then this behavior is perfectly normal. Check what phpinfo() says about the filter extention's settings.
 [2006-04-06 12:50 UTC] msaladna at apisnetworks dot com
Sorry about the title, I just noticed Firefox.  Anyway though, I would expect for the default value to be unsafe_raw (or filter_off to disable filtering) keeping filter in a permissive state rather than strict state.  Per the default configuration, everything HTMLish tag will be stripped out of input variables, which can lead to problems with file managers/editors or for whatever reason, some application that uses <> extensively.  Consider it in a threaded environment where you can't dl() the extension to use it just once.  It would be loaded and thus go through the same filtering process for every page served up by the Web server.  This can lead to unexpected behavior with existing applications.

I would reconsider the default value for filter.default.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Dec 04 23:03:34 2021 UTC