[wp-trac] Re: [WordPress Trac] #3070: use of php's "strip_tags"
gives improper/incomplete results
WordPress Trac
wp-trac at lists.automattic.com
Sun Aug 27 09:34:36 GMT 2006
#3070: use of php's "strip_tags" gives improper/incomplete results
----------------------------+-----------------------------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.1
Component: Administration | Version: 2.1
Severity: major | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Comment (by _ck_):
Okay this code is somewhat nasty but works.
Perhaps some PHP pros can improve upon it but keep it's functionality.
It now strips script/style/embed/object/iframe which are the most serious
not just for attacks but for honest cleanup of your posts to RSS viewing.
{{{
<?
echo html2txt("1. <><script< >>alert('hey <br> html2txt
<scr<>ipt>');</scr<>ipt>")."<br>";
echo html2txt("2. before <scr<>ipt>document.write('html2txt
<scr<>ipt>');</script> after ")."<br>";
echo strip_tags("3. <><script< >>alert('hey <br> strip_tags
<scr<>ipt>');</scr<>ipt> ")."<br>";
echo strip_tags("4. before <scr<>ipt>document.write('strip_tags
<scr<>ipt>');</script> after")."<br>";
function html2txt($text){
$search = array('@<>@',
'@<script[^>]*?>.*?</script>@siU', // Strip out
javascript
'@<style[^>]*?>.*?</style>@siU', // Strip style tags
properly
'@<embed[^>]*?>.*?</embed>@siU', // embed
'@<object[^>]*?>.*?</object>@siU', // object
'@<iframe[^>]*?>.*?</iframe>@siU', // iframe
'@<![\s\S]*?--[ \t\n\r]*>@', // Strip multi-line
comments including CDATA
'@</?[^>]*>*@' // html tags
);
while($text != strip_tags($text)) { $text = preg_replace($search, '',
$text); }
return $text;
}
?>
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/3070>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list