[wp-trac] Re: [WordPress Trac] #3070: use of php's "strip_tags"
gives improper/incomplete results
WordPress Trac
wp-trac at lists.automattic.com
Sun Aug 27 07:54:52 GMT 2006
#3070: use of php's "strip_tags" gives improper/incomplete results
----------------------------+-----------------------------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.1
Component: Administration | Version: 2.1
Severity: major | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Comment (by _ck_):
Okay I've figured out the problem is with desired behavior (and that I am
not explaining it enough).
If javascript is used within a post (or possibly a comment if that is
allowed) the problem is strip_tags will remove SCRIPT tags ONLY and leave
the code inbetween!
So your post via RSS will look like:
''blah blah blah'' document.write("example"); ''blah blah''
html2txt will fix that behavior by stripping the code between SCRIPT
first, then processing HTML tags (ignore my suggestion to change the
processing order array in the previous comment).
You are correct in that it has a weakness for purposely maligned tags.
There must be a way to harden it, and I am working on that.
Certainly you'd agree that leaving the javascript code behind after
removing SCRIPT tags is bad behavior via strip_tags?
--
Ticket URL: <http://trac.wordpress.org/ticket/3070>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list