Zend Framework

Zend_Filter_StripTags strips '<' in text

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Not an Issue
  • Affects Version/s: 1.9.6
  • Fix Version/s: 1.9.7
  • Component/s: Zend_Filter
  • Labels:
    None

Description

When using the Zend_Filter_StripTags it will strip starting from a single '<'.

$text = 'This is an example. Bla < 300';
$filter = new Zend_Filter_StripTags();
$filteredText = $filter->filter($text);

Zend_Debug::dump($filteredText);

The result:"
string(24) "This is an example. Bla "

Why is the < (and the part after) removed? It isn't a tag.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thomas Weidner added a comment - - edited

This is expected behaviour and even tested to get sure it is done this way.

Only &gt; or &lt; is allowed.

Show
Thomas Weidner added a comment - - edited This is expected behaviour and even tested to get sure it is done this way. Only &gt; or &lt; is allowed.
Hide
Permalink
Thomas Weidner added a comment -

Closing as non-issue

Show
Thomas Weidner added a comment - Closing as non-issue
Hide
Permalink
Sven Franke added a comment -

May I ask why?

So i first have to replace all the &, <, > (not tags) before using striptags?

Show
Sven Franke added a comment - May I ask why? So i first have to replace all the &, <, > (not tags) before using striptags?
Hide
Permalink
Marc Hodgins added a comment -

Sven, StripTags is intended to strip anything that could be interpreted as an HTML tag. Since "< 300" could be an unclosed html tag, the logical action is to strip that character and everything that follows.

To protect against user input containing HTML, you are better off to store the raw input (without implementing the StripTags filter) and then escape via htmlentities when later displaying that content.

Show
Marc Hodgins added a comment - Sven, StripTags is intended to strip anything that could be interpreted as an HTML tag. Since "< 300" could be an unclosed html tag, the logical action is to strip that character and everything that follows. To protect against user input containing HTML, you are better off to store the raw input (without implementing the StripTags filter) and then escape via htmlentities when later displaying that content.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.