|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #78364 strip_tags should not remove \x00
Submitted: 2019-08-01 21:50 UTC Modified: 2019-08-02 00:42 UTC
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bkfake-php at yahoo dot com Assigned:
Status: Open Package: Strings related
PHP Version: 7.3.8 OS: osx
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-08-01 21:50 UTC] bkfake-php at yahoo dot com
strip_tags strips the null character \x00 from the string
this is neither documented nor desired behavior

tested on v5.6.40 and 7.1.25 - 7.4.0beta1

Test script:
// outputs "where'd null go?"

$str = "hello\x00world";
$strAfter = strip_tags($str);
if ($str == $strAfter) {
    echo 'all is well';
} else {
    echo "where'd null go?";

Expected result:
null char should remain and output "all is well"

Actual result:
outputs "where'd null go?"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-01 21:55 UTC]
-Summary: strip_tags removes \x00 +Summary: strip_tags should not remove \x00 -Type: Bug +Type: Feature/Change Request -Package: Unknown/Other Function +Package: Strings related
 [2019-08-01 21:55 UTC]
Undocumented? Are you sure about that?
 [2019-08-01 21:57 UTC]
-Status: Open +Status: Not a bug
 [2019-08-01 21:57 UTC]
This is clearly documented.
 [2019-08-01 21:58 UTC]
Sorry Damien you were too fast again :-)

Want to change it back to FR?
 [2019-08-01 22:17 UTC]
-Status: Not a bug +Status: Open
 [2019-08-01 22:17 UTC]

Doing some research, I see HTML 5 allows NULs sometimes, but I can't tell how HTML 4 feels about it. If there was a particular reason strip_tags removed them then the behavior should probably stay, but otherwise I think it's a (undoubtedly rare) edge case that should be fine to remove.
 [2019-08-02 00:42 UTC] bkfake-php at yahoo dot com
In my case I'm working with "plain text" that may have had html tags added somewhere upstream..
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Mar 04 16:01:29 2024 UTC