php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66111 strip_tags strip <=
Submitted: 2013-11-18 08:33 UTC Modified: 2013-11-20 15:50 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: 22rist at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.5Git-2013-11-18 (Git) OS: windows 7 x64
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2013-11-18 08:33 UTC] 22rist at gmail dot com 
Description:
------------
Very hard to explain copywriter, that he should not use "<=" in his text for security purposes.

Test script:
---------------
$text = "Mileage <= 15000";
print_r(strip_tags($text));
//print: Mileage

Expected result:
----------------
Mileage <= 15000

Actual result:
--------------
Mileage

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-19 13:10 UTC] anon at anon dot anon 
strip_tags converts HTML to plain text. If you're typing "Mileage <= 15000", that's not HTML, it's text, so strip_tags is the wrong function. Use htmlspecialchars.
 [2013-11-19 14:18 UTC] 22rist at gmail dot com 
This text can be in comments. Some of this comments can be from user. There can be tags that I must strip.  But there can be "Mileage <= 15000" that I shouldn't streep. What should I do?
 [2013-11-20 12:12 UTC] anon at anon dot anon 
>There can be tags that I must strip.

In other words, you're trying to make it a nuisance for anyone on the off chance they want to talk about HTML.

strip_tags is the wrong function. Use htmlspecialchars.
 [2013-11-20 12:23 UTC] 22rist at gmail dot com 
In security reasons (to prevent XSS) I should strip all tags in user comments. It's not a developer blog and there wont be conversation about HTML. 
And your comment "they want to talk about HTML." is not related to the subject.
The subject is "The function strip_tags should strip tags and only tags".
 [2013-11-20 13:17 UTC] anon at anon dot anon 
There's a very easy way to prevent XSS and allow "Mileage <= 15000". It's called htmlspecialchars.
 [2013-11-20 13:35 UTC] 22rist at gmail dot com 
Ok, htmlspecilachars will prevent XSS. But I want to STRIP TAGS. 

I want to see 
"Please use google.com"
when user write
"<b>Please</b> use <a href="https://www.google.com">google.com</a>"
AND NOT an encoded variant of "<b>Please</b> use <a href="https://www.google.com">google.com</a>" as htmlspecilachars do.
 [2013-11-20 13:59 UTC] anon at anon dot anon 
Why would someone write that?

Oh wait, you just did. Can you imagine how annoying it would be for you to type your comment if this bug page used strip_tags?
 [2013-11-20 14:18 UTC] 22rist at gmail dot com 
The subject is "The function strip_tags should strip tags and only tags".
Not "How I use strip_tags". Or "how somebody filter comments". 
So if you can't write something related to the subject please do not spam.
 [2013-11-20 14:46 UTC] anon at anon dot anon 
The subject is that you're misusing the function. strip_tags removes tags from HTML. This is not valid HTML:

    Mileage <= 15000

Now read the warning in the documentation: 

    Because strip_tags() does not actually validate the HTML, partial or
    broken tags can result in the removal of more text/data than expected.

I.e., garbage in = garbage out.
 [2013-11-20 14:54 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2013-11-20 14:54 UTC] johannes@php.net 
Browsers are quite error tolerant in parsing HTML. strip_tags tries to be secure with the risk of breaking input. If you want to take data into HTML and want the browser to render it properly use htmlentities etc.
 [2013-11-20 15:02 UTC] 22rist at gmail dot com 
I want to filter string writen by user
"<b>Best car ever!<b/> Mileage <= 15000"
so it looks like
"Best car ever! Mileage <= 15000";
I want to strip only tags. PHP can't do it using native functions?
 [2013-11-20 15:50 UTC] rasmus@php.net
-Block user comment: No +Block user comment: Yes
 [2013-11-20 15:50 UTC] rasmus@php.net 
This is not a support forum. There is no bug here.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 08:01:29 2024 UTC