php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73823 filter_var() cuts at < char
Submitted: 2016-12-27 15:48 UTC Modified: 2016-12-27 23:50 UTC
From: spam2 at rhsoft dot net Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.1.0 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: spam2 at rhsoft dot net
New email:
PHP Version: OS:

 

 [2016-12-27 15:48 UTC] spam2 at rhsoft dot net 
Description:
------------
te[harry@srv-rhsoft:~]$ php -r "echo filter_var('te<st', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);"
te

[harry@srv-rhsoft:~]$ php -r "echo filter_var('te<st>x', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);"
tex


is this a joke?

besides that FILTER_FLAG_STRIP_LOW is not usebale for values from a texteraea without replace linbreaks before with something else and restore it after filter it's a nogo to cut the whole input before a < sign

given the second example this looks like a lousy try of html filtering

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-27 23:17 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2016-12-27 23:17 UTC] cmb@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is not related to FILTER_FLAG_STRIP_LOW[1], but rather
FILTER_SANITIZE_STRING is supposed to strip tags.

[1] <https://3v4l.org/dLPn6>
[2] <http://php.net/manual/en/filter.filters.sanitize.php>
[3] <http://php.net/manual/en/function.strip-tags.php>
 [2016-12-27 23:38 UTC] spam2 at rhsoft dot net 
are you kidding me?

a SINGLE < inside a string is NOT a tag and no justification to cut the whole input there - it makes the filter unuseable in real life
 [2016-12-27 23:50 UTC] cmb@php.net 
> a SINGLE < inside a string is NOT a tag and no justification to
> cut the whole input there - it makes the filter unuseable in
> real life

Well, it's supposed to work exactly like strip_tags()[1], so if
anything should be changed, strip_tags() should be changed as well
(what would probably require an RFC[2]).

[1] <https://3v4l.org/dLPn6>
[2] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 06:01:28 2024 UTC