php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #23723
Patch striptags.diff.base64 revision 2011-01-10 21:20 UTC by jthijssen at noxlogic dot nl
Patch striptags.diff revision 2011-01-09 20:41 UTC by jthijssen at noxlogic dot nl

Patch striptags.diff for Strings related Bug #23723

Patch version 2011-01-09 20:41 UTC

Return to Bug #23723 | Download this patch
This patch is obsolete

Obsoleted by patches:

Patch Revisions:

Developer: jthijssen@noxlogic.nl

Index: ext/standard/string.c
===================================================================
--- ext/standard/string.c	(revision 307135)
+++ ext/standard/string.c	(working copy)
@@ -3996,7 +3996,7 @@
 }
 /* }}} */
 
-/* {{{ proto string strip_tags(string str [, string allowable_tags])
+/* {{{ proto string strip_tags(string str [, string allowable_tags] [, bool whitelist])
    Strips HTML and PHP tags from a string */
 PHP_FUNCTION(strip_tags)
 {
@@ -4004,11 +4004,12 @@
 	char *str;
 	zval **allow=NULL;
 	char *allowed_tags=NULL;
+	zend_bool whitelist=1;
 	int allowed_tags_len=0;
 	int str_len;
 	size_t retval_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|Z", &str, &str_len, &allow) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|Zb", &str, &str_len, &allow, &whitelist) == FAILURE) {
 		return;
 	}
 	
@@ -4020,7 +4021,7 @@
 	}
 
 	buf = estrndup(str, str_len);
-	retval_len = php_strip_tags_ex(buf, str_len, NULL, allowed_tags, allowed_tags_len, 0);
+	retval_len = php_strip_tags_ex(buf, str_len, NULL, allowed_tags, allowed_tags_len, 0, whitelist);
 	RETURN_STRINGL(buf, retval_len, 0);
 }
 /* }}} */
@@ -4235,9 +4236,9 @@
 }
 /* }}} */
 
-PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, int allow_len) /* {{{ */
+PHPAPI size_t  php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, int allow_len, int whitelist) /* {{{ */
 {
-	return php_strip_tags_ex(rbuf, len, stateptr, allow, allow_len, 0);
+	return php_strip_tags_ex(rbuf, len, stateptr, allow, allow_len, 0, whitelist);
 }
 /* }}} */
 
@@ -4258,10 +4259,17 @@
 	in state 1 and when the tag is closed check it against the
 	allow string to see if we should allow it.
 
+	When whitelist  is true (default value), it will allow only the
+	tags stated in the allow string.
+ 
+	When whitelist is false, it will leave all tags alone EXCEPT the
+	tags that that are inside the allow-list in effect making the
+	'allow' parameter a blacklist
+
 	swm: Added ability to strip <?xml tags without assuming it PHP
 	code.
 */
-PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, int allow_len, zend_bool allow_tag_spaces)
+PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, int allow_len, zend_bool allow_tag_spaces, zend_bool whitelist)
 {
 	char *tbuf, *buf, *p, *tp, *rp, c, lc;
 	int br, i=0, depth=0, in_q = 0;
@@ -4369,7 +4377,7 @@
 							}
 							*(tp++) = '>';
 							*tp='\0';
-							if (php_tag_find(tbuf, tp-tbuf, allow)) {
+							if (! (php_tag_find(tbuf, tp-tbuf, allow) ^ whitelist) ) {
 								memcpy(rp, tbuf, tp-tbuf);
 								rp += tp-tbuf;
 							}
Index: ext/standard/tests/strings/strip_tags_variation4.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation4.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation4.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string
  * Source code: ext/standard/string.c
 */
@@ -33,6 +33,7 @@
 
 //valid html and php tags
 $quotes = "<p><a><?php<html>";
+$quotes2 = "<p><a>";
 
 //loop through the various elements of strings array to test strip_tags() functionality
 $iterator = 1;
@@ -40,6 +41,7 @@
 {
       echo "-- Iteration $iterator --\n";
       var_dump( strip_tags($string_value, $quotes) );
+      var_dump( strip_tags($string_value, $quotes2, false) );
       $iterator++;
 }
 
@@ -49,26 +51,38 @@
 *** Testing strip_tags() : usage variations ***
 -- Iteration 1 --
 string(32) "hello 		world... strip_tags_test"
+string(54) "<abc>hello</abc> 		world... <ppp>strip_tags_test</ppp>"
 -- Iteration 2 --
 string(34) "hello \t\tworld... strip_tags_test"
+string(56) "<abc>hello</abc> \t\tworld... <ppp>strip_tags_test</ppp>"
 -- Iteration 3 --
 string(0) ""
+string(22) "<%?php hello	 world?%>"
 -- Iteration 4 --
 string(0) ""
+string(23) "<%?php hello\t world?%>"
 -- Iteration 5 --
 string(18) "<htmL>hello</htmL>"
+string(18) "<htmL>hello</htmL>"
 -- Iteration 6 --
 string(18) "<htmL>hello</htmL>"
+string(18) "<htmL>hello</htmL>"
 -- Iteration 7 --
 string(9) "HtMl text"
+string(18) "<a.>HtMl text</.a>"
 -- Iteration 8 --
 string(9) "HtMl text"
+string(18) "<a.>HtMl text</.a>"
 -- Iteration 9 --
 string(26) "I am not a valid html text"
+string(37) "<nnn>I am not a valid html text</nnn>"
 -- Iteration 10 --
 string(26) "I am not a valid html text"
+string(37) "<nnn>I am not a valid html text</nnn>"
 -- Iteration 11 --
 string(62) "I am a quoted (") string with special chars like $,\!,\@,\%,\&"
+string(73) "<nnn>I am a quoted (") string with special chars like $,\!,\@,\%,\&</nnn>"
 -- Iteration 12 --
 string(64) "I am a quoted (\") string with special chars like \$,\!,\@,\%,\&"
+string(75) "<nnn>I am a quoted (\") string with special chars like \$,\!,\@,\%,\&</nnn>"
 Done
Index: ext/standard/tests/strings/strip_tags_error.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_error.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_error.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string 
  * Source code: ext/standard/string.c
 */
@@ -20,8 +20,9 @@
 echo "\n-- Testing strip_tags() function with more than expected no. of arguments --\n";
 $str = "<html>hello</html>";
 $allowable_tags = "<html>";
+$keep_mode = true;
 $extra_arg = 10;
-var_dump( strip_tags($str, $allowable_tags, $extra_arg) );
+var_dump( strip_tags($str, $allowable_tags, $keep_mode, $extra_arg) );
 
 echo "Done";
 ?>
@@ -35,6 +36,6 @@
 
 -- Testing strip_tags() function with more than expected no. of arguments --
 
-Warning: strip_tags() expects at most 2 parameters, 3 given in %s on line %d
+Warning: strip_tags() expects at most 3 parameters, 4 given in %s on line %d
 NULL
 Done
Index: ext/standard/tests/strings/strip_tags_variation6.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation6.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation6.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string
  * Source code: ext/standard/string.c
 */
@@ -29,6 +29,8 @@
 {
       echo "-- Iteration $iterator --\n";
       var_dump( strip_tags($value) );
+      var_dump( strip_tags($value, '<html>', false) );
+      var_dump( strip_tags($value, '<html>', true) );
       $iterator++;
 }
 
@@ -38,10 +40,18 @@
 *** Testing strip_tags() : usage variations ***
 -- Iteration 1 --
 string(18) " I am html string "
+string(18) " I am html string "
+string(31) "<html> I am html string </html>"
 -- Iteration 2 --
 string(18) " I am html string "
+string(18) " I am html string "
+string(31) "<html> I am html string </html>"
 -- Iteration 3 --
 string(16) "I am html string"
+string(23) "<a>I am html string</a>"
+string(16) "I am html string"
 -- Iteration 4 --
 string(23) "I am html string1000001"
+string(23) "I am html string1000001"
+string(36) "<html>I am html string</html>1000001"
 Done
Index: ext/standard/tests/strings/strip_tags_basic1.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_basic1.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_basic1.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string 
  * Source code: ext/standard/string.c
 */
Index: ext/standard/tests/strings/strip_tags_variation7.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation7.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation7.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string
  * Source code: ext/standard/string.c
 */
@@ -38,6 +38,7 @@
 {
       echo "-- Iteration $iterator --\n";
       var_dump( strip_tags($string_value, $quotes) );
+      var_dump( strip_tags($string_value, $quotes, false) );
       $iterator++;
 }
 
@@ -47,26 +48,38 @@
 *** Testing strip_tags() : usage variations ***
 -- Iteration 1 --
 string(43) "<abc>hello</abc> 		world... strip_tags_test"
+string(43) "hello 		world... <ppp>strip_tags_test</ppp>"
 -- Iteration 2 --
 string(45) "<abc>hello</abc> \t\tworld... strip_tags_test"
+string(45) "hello \t\tworld... <ppp>strip_tags_test</ppp>"
 -- Iteration 3 --
 string(0) ""
+string(22) "<%?php hello	 world?%>"
 -- Iteration 4 --
 string(0) ""
+string(23) "<%?php hello\t world?%>"
 -- Iteration 5 --
 string(18) "<htmL>hello</htmL>"
+string(5) "hello"
 -- Iteration 6 --
 string(18) "<htmL>hello</htmL>"
+string(5) "hello"
 -- Iteration 7 --
 string(9) "HtMl text"
+string(18) "<a.>HtMl text</.a>"
 -- Iteration 8 --
 string(9) "HtMl text"
+string(18) "<a.>HtMl text</.a>"
 -- Iteration 9 --
 string(37) "<nnn>I am not a valid html text</nnn>"
+string(26) "I am not a valid html text"
 -- Iteration 10 --
 string(37) "<nnn>I am not a valid html text</nnn>"
+string(26) "I am not a valid html text"
 -- Iteration 11 --
 string(73) "<nnn>I am a quoted (") string with special chars like $,\!,\@,\%,\&</nnn>"
+string(62) "I am a quoted (") string with special chars like $,\!,\@,\%,\&"
 -- Iteration 12 --
 string(75) "<nnn>I am a quoted (\") string with special chars like \$,\!,\@,\%,\&</nnn>"
+string(64) "I am a quoted (\") string with special chars like \$,\!,\@,\%,\&"
 Done
Index: ext/standard/tests/strings/strip_tags_variation1.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation1.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation1.phpt	(working copy)
@@ -4,7 +4,7 @@
 set short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string 
  * Source code: ext/standard/string.c
 */
@@ -156,4 +156,4 @@
 
 Warning: strip_tags() expects parameter 1 to be string, resource given in %s on line %d
 NULL
-===DONE===
\ No newline at end of file
+===DONE===
Index: ext/standard/tests/strings/strip_tags_basic2.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_basic2.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_basic2.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string
  * Source code: ext/standard/string.c
 */
Index: ext/standard/tests/strings/strip_tags_variation2.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation2.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation2.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string 
  * Source code: ext/standard/string.c
 */
Index: ext/standard/tests/strings/strip_tags_variation3.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation3.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation3.phpt	(working copy)
@@ -4,7 +4,7 @@
 set short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string 
  * Source code: ext/standard/string.c
 */
@@ -156,4 +156,4 @@
 
 Warning: strip_tags() expects parameter 1 to be string, resource given in %s on line %d
 NULL
-===DONE===
\ No newline at end of file
+===DONE===
Index: ext/standard/tests/strings/strip_tags_variation10.phpt
===================================================================
--- ext/standard/tests/strings/strip_tags_variation10.phpt	(revision 307135)
+++ ext/standard/tests/strings/strip_tags_variation10.phpt	(working copy)
@@ -4,7 +4,7 @@
 short_open_tag = on
 --FILE--
 <?php
-/* Prototype  : string strip_tags(string $str [, string $allowable_tags])
+/* Prototype  : string strip_tags(string $str [, string $allowable_tags] [, bool $whitelist])
  * Description: Strips HTML and PHP tags from a string
  * Source code: ext/standard/string.c
 */
@@ -26,6 +26,7 @@
 );
 
 $quotes = "<html><a><p><b><?php";
+$quotes2 = "<a><b><?php";
 
 //loop through the various elements of strings array to test strip_tags() functionality
 $iterator = 1;
@@ -33,6 +34,7 @@
 {
       echo "-- Iteration $iterator --\n";
       var_dump( strip_tags($string_value, $quotes) );
+      var_dump( strip_tags($string_value, $quotes2, false) );
       $iterator++;
 }
 
@@ -42,14 +44,20 @@
 *** Testing strip_tags() : usage variations ***
 -- Iteration 1 --
 string(51) "<html> \$ -> This represents the dollar sign</html>"
+string(51) "<html> \$ -> This represents the dollar sign</html>"
 -- Iteration 2 --
 string(63) "<html>\t\r\v The quick brown fo\fx jumped over the lazy dog</p>"
+string(63) "<html>\t\r\v The quick brown fo\fx jumped over the lazy dog</p>"
 -- Iteration 3 --
 string(31) "<a>This is a hyper text tag</a>"
+string(24) "This is a hyper text tag"
 -- Iteration 4 --
 string(0) ""
+string(0) ""
 -- Iteration 5 --
 string(26) "<p>This is a paragraph</p>"
+string(26) "<p>This is a paragraph</p>"
 -- Iteration 6 --
 string(65) "<b>This is \ta text in bold letters\r\s\malong with slashes\n</b>"
+string(58) "This is \ta text in bold letters\r\s\malong with slashes\n"
 Done
Index: ext/standard/filters.c
===================================================================
--- ext/standard/filters.c	(revision 307135)
+++ ext/standard/filters.c	(working copy)
@@ -217,7 +217,7 @@
 		bucket = php_stream_bucket_make_writeable(buckets_in->head TSRMLS_CC);
 		consumed = bucket->buflen;
 		
-		bucket->buflen = php_strip_tags(bucket->buf, bucket->buflen, &(inst->state), (char *)inst->allowed_tags, inst->allowed_tags_len);
+		bucket->buflen = php_strip_tags(bucket->buf, bucket->buflen, &(inst->state), (char *)inst->allowed_tags, inst->allowed_tags_len, 1);
 	
 		php_stream_bucket_append(buckets_out, bucket TSRMLS_CC);
 	}
Index: ext/standard/file.c
===================================================================
--- ext/standard/file.c	(revision 307135)
+++ ext/standard/file.c	(working copy)
@@ -1203,7 +1203,7 @@
 		RETURN_FALSE;
 	}
 
-	retval_len = php_strip_tags(retval, actual_len, &stream->fgetss_state, allowed_tags, allowed_tags_len);
+	retval_len = php_strip_tags(retval, actual_len, &stream->fgetss_state, allowed_tags, allowed_tags_len, 1);
 
 	RETURN_STRINGL(retval, retval_len, 0);
 }
Index: ext/standard/php_string.h
===================================================================
--- ext/standard/php_string.h	(revision 307135)
+++ ext/standard/php_string.h	(working copy)
@@ -133,8 +133,8 @@
 PHPAPI char *php_str_to_str(char *haystack, int length, char *needle,
 		int needle_len, char *str, int str_len, int *_new_length);
 PHPAPI char *php_trim(char *c, int len, char *what, int what_len, zval *return_value, int mode TSRMLS_DC);
-PHPAPI size_t php_strip_tags(char *rbuf, int len, int *state, char *allow, int allow_len);
-PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, int allow_len, zend_bool allow_tag_spaces);
+PHPAPI size_t php_strip_tags(char *rbuf, int len, int *state, char *allow, int allow_len, int whitelist);
+PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, int allow_len, zend_bool allow_tag_spaces, zend_bool whitelist);
 PHPAPI int php_char_to_str_ex(char *str, uint len, char from, char *to, int to_len, zval *result, int case_sensitivity, int *replace_count);
 PHPAPI int php_char_to_str(char *str, uint len, char from, char *to, int to_len, zval *result);
 PHPAPI void php_implode(zval *delim, zval *arr, zval *return_value TSRMLS_DC);
Index: ext/filter/sanitizing_filters.c
===================================================================
--- ext/filter/sanitizing_filters.c	(revision 307135)
+++ ext/filter/sanitizing_filters.c	(working copy)
@@ -200,7 +200,7 @@
 	php_filter_encode_html(value, enc);
 
 	/* strip tags, implicitly also removes \0 chars */
-	new_len = php_strip_tags_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0, 1);
+	new_len = php_strip_tags_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0, 1, 1);
 	Z_STRLEN_P(value) = new_len;
 
 	if (new_len == 0) {
Index: README.input_filter
===================================================================
--- README.input_filter	(revision 307135)
+++ README.input_filter	(working copy)
@@ -142,7 +142,7 @@
 
     php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
 
-    php_strip_tags(*val, val_len, NULL, NULL, 0);
+    php_strip_tags(*val, val_len, NULL, NULL, 0, 1);
 
     *new_val_len = strlen(*val);
     return 1;
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 13:01:24 2019 UTC