Edit report at https://bugs.php.net/bug.php?id=62032&edit=1
ID: 62032
User updated by: iamcraigcampbell at gmail dot com
Reported by: iamcraigcampbell at gmail dot com
Summary: filter_var incorrectly strips characters from
strings after "<"
Status: Open
Type: Bug
Package: Filter related
Operating System: Mac OS X
PHP Version: 5.4.3
Block user comment: N
Private report: N
New Comment:
So in that case I think strip_tags and filter_var are both broken. In this
context:
"It is true that 5<10"
"It is true that 5 < 10"
Neither of these are html tags so the string should not be touched regardless
of if
there is a space or not.
Previous Comments:
------------------------------------------------------------------------
[2012-05-15 14:42:47] reeze dot xia at gmail dot com
PS: the reason why strip_tags() didn't strip it is '<' is followed by a
space char but not without ending '>', this is the key point.
look deep into the source code, there difference is switch whether or
not to trait '<' followed by a(or more) spaces a tag or not.
------------------------------------------------------------------------
[2012-05-15 14:36:26] reeze dot xia at gmail dot com
strip_tags will strip it even without the ending '>' if '<' followed by a
non-space char.
If we need to check whether is a closed tag it is a feature request to change
it's
behavior. it will break BC.
------------------------------------------------------------------------
[2012-05-15 14:26:52] iamcraigcampbell at gmail dot com
Well I can understand stripping it if there is a closing > somewhere, but if it
is
a < that is not followed by a matching > then it should be allowed in the
string
and not stripped. I think strip_tags works as expected.
------------------------------------------------------------------------
[2012-05-15 14:24:14] reeze dot xia at gmail dot com
Hi,
I think it's a document problem. you could refer this commit:
http://svn.php.net/viewvc?view=revision&revision=225196
strip_tags() didn't allow space after < so strip_tags didn't trait it as a
invalid
tag so it didn't get striped.
filter_var allow space after < so, it striped everything after <.
I think we could add an extra paramater to strip_tags() allow space after <
and document it eg:
string strip_tags(string str [, string allowable_tags = null [, bool
allow_tag_spaces = false]])
------------------------------------------------------------------------
[2012-05-14 17:19:48] iamcraigcampbell at gmail dot com
Description:
------------
Noticed that for strings with < in them outside of html tags, filter_var will
strip out all characters that come after the <.
Test script:
---------------
<?php
$string = 'i want to say that 5 < 10, but it won\'t let me!';
$filtered_string = filter_var($string, FILTER_SANITIZE_STRING);
var_dump($filtered_string);
$filtered_string_strip_tags = strip_tags($string);
var_dump($filtered_string_strip_tags);
Expected result:
----------------
string(47) "i want to say that 5 < 10, but it won't let me!"
string(47) "i want to say that 5 < 10, but it won't let me!"
Actual result:
--------------
string(21) "i want to say that 5 "
string(47) "i want to say that 5 < 10, but it won't let me!"
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62032&edit=1
