[wp-trac] [WordPress Trac] #3070: use of php's "strip_tags" gives
improper/incomplete results
WordPress Trac
wp-trac at lists.automattic.com
Sun Aug 27 04:31:39 GMT 2006
#3070: use of php's "strip_tags" gives improper/incomplete results
----------------------------+-----------------------------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.1
Component: Administration | Version: 2.1
Severity: major | Keywords:
----------------------------+-----------------------------------------------
Wordpress uses the PHP
[http://www.redalt.com/xref/trunk/nav.htm?_functions/index.htm strip_tags
function at least 25 times].
The built-in function is known to have serious limitations including
faults with SCRIPT and STYLE tags which can cause security issues and/or
cause non-validation failures (ie. javacript is inserted into RSS feeds)
Solution: replace with the superior [http://us2.php.net/manual/en/function
.strip-tags.php#68757 html2txt example as shown in the PHP manual]
{{{
function html2txt($document){
$search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags
properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line
comments including CDATA
);
$text = preg_replace($search, '', $document);
return $text;
}
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/3070>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list