Issues

ZF-11617: Zend_Filter_StripTags does not handle hyphenated attribute names

Issue Type: Improvement Created: 2011-07-27T16:01:21.000+0000 Last Updated: 2011-08-26T19:25:29.000+0000 Status: Resolved Fix version(s): - 1.11.10 (04/Aug/11)

Reporter: Bernd Matzner (bmatzner) Assignee: Adam Lundrigan (adamlundrigan) Tags: - Zend_Filter

  • filter

Related issues: Attachments:

Description

In Zend_Filter_StripTags, the regex to parse well-formed attributes should take dashes into account to support HTML5 data-* attributes:

Instead of checking for

<pre class="highlight">
           (\w+)

it should at least do this

<pre class="highlight">
            // Parse iteratively for well-formed attributes
            preg_match_all('/([a-z\-]+)\s*=\s*(?:(")(.*?)"|(\')(.*?)\')/s', $tagAttributes, $matches);

Comments

Posted by Adam Lundrigan (adamlundrigan) on 2011-07-28T16:50:47.000+0000

Added the hyphen character to list of valid characters for an attribute name:

<pre class="highlight">
Index: library/Zend/Filter/StripTags.php
===================================================================
--- library/Zend/Filter/StripTags.php   (revision 24276)
+++ library/Zend/Filter/StripTags.php   (working copy)
@@ -319,7 +319,7 @@
         // If there are non-whitespace characters in the attribute string
         if (strlen($tagAttributes)) {
             // Parse iteratively for well-formed attributes
-            preg_match_all('/(\w+)\s*=\s*(?:(")(.*?)"|(\')(.*?)\')/s', $tagAttributes, $matches);
+            preg_match_all('/([\w-]+)\s*=\s*(?:(")(.*?)"|(\')(.*?)\')/s', $tagAttributes, $matches);

             // Initialize valid attribute accumulator
             $tagAttributes = '';

Fix and unit test committed to trunk in r24277 Merged to release-1.11 in r24278

Posted by Thomas Weidner (thomas) on 2011-08-26T19:25:29.000+0000

Added in ZF2 with GH-285

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts