[CakePHP : The Rapid Development Framework for PHP] #5640: Sanitize::stripScripts also removes image tags

Tue, 21 Oct 2008 08:31:28 -0700 

#5640: Sanitize::stripScripts also removes image tags
------------------------+---------------------------------------------------
    Reporter:  tyler    |          Type:  Bug      
      Status:  new      |      Priority:  Low      
   Milestone:  1.2.x.x  |     Component:  Core Libs
     Version:  RC3      |      Severity:  Minor    
    Keywords:           |   Php_version:  PHP 5    
Cake_version:           |  
------------------------+---------------------------------------------------
 == Description ==
 The stripScripts() behavior appears inconsistent from the documentation,
 as it removes <img> tags too.

 == Reproduction ==
 {{{
 $san = new Sanitize();
 exit($san->stripScripts("<img src='foo.jpg'>"));
 }}}

 == Expected Result ==
 {{{
 <img src='foo.jpg'>
 }}}

 == Actual Result ==
 {{{
 (Empty string)
 }}}

 == Problematic Code ==
 from sanitize.php:
 {{{
 00127  * Strips scripts and stylesheets from output
 00128  *
 00129  * @param string $str String to sanitize
 00130  * @access public
 00131  * @static
 00132  */
 00133     function stripScripts($str) {
 00134         return
 
preg_replace('/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|<img[^>]*>|style="[^"]*")|<script[^>]*>.*?<\/script>|<style[^>]*>.*?<\/style>|<!--.*?-->/i',
 '', $str);
 00135     }
 }}}

 == Potential Fix ==
 in sanitize.php:
 {{{
 00134         return
 
preg_replace('/(<link[^>]+rel="[^"]*stylesheet"[^>]*>|<script[^>]*>.*?<\/script>|<style[^>]*>.*?<\/style>|<!--.*?-->/i',
 '', $str);

 }}}

-- 
Ticket URL: <https://trac.cakephp.org/ticket/5640>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design 
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. 
Our primary goal is to provide a structured framework that enables PHP users at 
all levels to rapidly develop robust web applications, without any loss to 
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
  • [CakePHP : The Rapid Dev... CakePHP : The Rapid Development Framework for PHP

Reply via email to