From: pornel at despammed dot com Operating system: PHP version: Irrelevant PHP Bug Type: Documentation problem Bug description: preg_replace example suggests poor patterns, which are harmful if really used
Description: ------------ The code on http://uk.php.net/preg_replace: $search = array ('@<script[^>]*?>.*?</script>@si', // Strip out javascript '@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags doesn't work as advertised. For example it will leave contents of: <script>xxx</script > and worse, it will output valid script tags if given: <<>script>evil<<>/script> If these patterns were used on some website (for stripping markup from user's comments for example), they'd allow XSS attack. Since it's near impossible to properly parse HTML with regular expressions I suggest: * renaming example from 'Convert HTML to text' to 'Remove HTML markup' * adding replacement of '<' as '>' * suggesting use of more robust methods, like strip_tags, nl2br, htmlspecialchars or DOM interface. -- Edit bug report at http://bugs.php.net/?id=36112&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=36112&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=36112&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=36112&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=36112&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=36112&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=36112&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=36112&r=needscript Try newer version: http://bugs.php.net/fix.php?id=36112&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=36112&r=support Expected behavior: http://bugs.php.net/fix.php?id=36112&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=36112&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=36112&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=36112&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36112&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=36112&r=dst IIS Stability: http://bugs.php.net/fix.php?id=36112&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=36112&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=36112&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=36112&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=36112&r=mysqlcfg
