php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70720 strip_tags improper php code parsing
Submitted: 2015-10-15 14:54 UTC Modified: 2016-02-02 09:42 UTC
From: admin at sinfocol dot org Assigned: jpauli
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID:
 [2015-10-15 14:54 UTC] admin at sinfocol dot org
Description:
------------
Hello,

The strip_tags function stop the processing of php code until the next ">" is found if the string "xml" is included within php tags.

Test script:
---------------
<?php

var_dump(strip_tags('<?php $dom->test(); ?> this is a test'));
var_dump(strip_tags('<?php $xml->test(); ?> this is a test'));

Expected result:
----------------
string(15) " this is a test"
string(15) " this is a test"

Actual result:
--------------
string(15) " this is a test"
string(25) "test(); ?> this is a test"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-22 14:15 UTC] jpauli@php.net
-Type: Security +Type: Bug -Assigned To: +Assigned To: jpauli
 [2015-12-22 14:15 UTC] jpauli@php.net
Requalifying as non-security bug
 [2015-12-22 15:28 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff7ed9021cd72a7f82dd4301cdc266afdff458ad
Log: Fix #70720
 [2015-12-22 15:28 UTC] jpauli@php.net
-Status: Assigned +Status: Closed
 [2015-12-22 15:29 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff7ed9021cd72a7f82dd4301cdc266afdff458ad
Log: Fix #70720
 [2015-12-22 15:29 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff7ed9021cd72a7f82dd4301cdc266afdff458ad
Log: Fix #70720
 [2015-12-22 15:35 UTC] jpauli@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Fixed in next release , at ff7ed9021cd72a7f82dd4301cdc266afdff458ad
 [2016-01-06 14:35 UTC] tyrael@php.net
to clarify this fix will be in 5.6.18 as it was fixed after 5.6.17RC1 was tagged and released and as this isn't a security fix there is no reason to not let it go through a proper RC cycle.
 [2016-01-29 11:43 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=47af41b785f5b669b755a843ed081945f17989a3
Log: Revert &quot;Fix #70720&quot;
 [2016-02-02 04:46 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=47af41b785f5b669b755a843ed081945f17989a3
Log: Revert &quot;Fix #70720&quot;
 [2016-02-02 09:42 UTC] jpauli@php.net
-Status: Closed +Status: Assigned
 [2016-02-02 17:17 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6b0b29edd6084699ae6690064c997b9bf44462d4
Log: Fix #70720
 [2016-02-02 17:17 UTC] jpauli@php.net
-Status: Assigned +Status: Closed
 [2016-02-02 17:23 UTC] jpauli@php.net
Will be part of 5.6.19, as we detected a BC in 5.6.18 about this patch, which then has been reworked.
 [2016-02-02 17:32 UTC] jpauli@php.net
Automatic comment on behalf of jpauli
Revision: http://git.php.net/?p=php-src.git;a=commit;h=15b1efeba88563a30978f7cafa15abd7cd85bc9e
Log: Revert &quot;Fix #70720&quot;
 [2016-03-28 08:33 UTC] samyabbas31 at gmail dot com
Hi, 
I still have a bug with the following code :

<?php 
[...]
scriptLog('   ->/view/main.php');
[...]
?>

parsing assumes php code stops with "->" in the scriptLog argument.

Regards,
Sam
 [2016-07-20 11:33 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=47af41b785f5b669b755a843ed081945f17989a3
Log: Revert &quot;Fix #70720&quot;
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 01:01:37 2017 UTC