[wp-trac] Re: [WordPress Trac] #3070: use of php's "strip_tags" gives improper/incomplete results

WordPress Trac wp-trac at lists.automattic.com
Sun Aug 27 07:54:52 GMT 2006


#3070: use of php's "strip_tags" gives improper/incomplete results
----------------------------+-----------------------------------------------
 Reporter:  _ck_            |        Owner:  anonymous
     Type:  defect          |       Status:  new      
 Priority:  high            |    Milestone:  2.1      
Component:  Administration  |      Version:  2.1      
 Severity:  major           |   Resolution:           
 Keywords:                  |  
----------------------------+-----------------------------------------------
Comment (by _ck_):

 Okay I've figured out the problem is with desired behavior (and that I am
 not explaining it enough).

 If javascript is used within a post (or possibly a comment if that is
 allowed) the problem is strip_tags will remove SCRIPT tags ONLY and leave
 the code inbetween!

 So your post via RSS will look like:
 ''blah blah blah'' document.write("example"); ''blah blah''

 html2txt will fix that behavior by stripping the code between SCRIPT
 first, then processing HTML tags (ignore my suggestion to change the
 processing order array in the previous comment).

 You are correct in that it has a weakness for purposely maligned tags.

 There must be a way to harden it, and I am working on that.

 Certainly you'd agree that leaving the javascript code behind after
 removing SCRIPT tags is bad behavior via strip_tags?

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3070>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list