Fixed bug #40432 (strip_tags() fails with greater than in attribute).

diff --git a/NEWS b/NEWS
index 9530c3f9ab98ecd4759b08e8cf599b9460ef41a0..9e0832829bd5f759f52f1817851856d01d11b71c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Upgraded PCRE to version 7.0 (Nuno)
 - Add --ri switch to CLI which allows to check extension information. (Marcus)
 - Added tidyNode::getParent() method (John, Nuno)
+- Fixed bug #40432 (strip_tags() fails with greater than in attribute). (Ilia)
 - Fixed bug #40431 (dynamic properties may cause crash in ReflectionProperty 
   methods). (Tony)
 - Fixed bug #40428 (imagepstext() doesn't accept optional parameter). (Pierre)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index aec6624b65c5d77efcc6c96243a2463b59ed0ac5..335cb64d5cba2a8f80d0a85a4f5373f0d665aa32 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4130,7 +4130,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, int allow_len, zend_bool allow_tag_spaces)
 {
        char *tbuf, *buf, *p, *tp, *rp, c, lc;
-       int br, i=0, depth=0;
+       int br, i=0, depth=0, in_q = 0;
        int state = 0;
 
        if (stateptr)
@@ -4164,7 +4164,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                        if (allow) {
                                                tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
                                                *(tp++) = '<';
-                                       }
+                                       }
                                } else if (state == 1) {
                                        depth++;
                                }
@@ -4203,7 +4203,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                        depth--;
                                        break;
                                }
-                       
+
+                               if (in_q) {
+                                       break;
+                               }
+
                                switch (state) {
                                        case 1: /* HTML/XML */
                                                lc = '>';
@@ -4259,6 +4263,9 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                        tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
                                        *(tp++) = c;
                                }
+                               if (*(p-1) != '\\') {
+                                       in_q = !in_q;
+                               }
                                break;
                        
                        case '!': 

diff --git a/ext/standard/tests/strings/bug40432.phpt b/ext/standard/tests/strings/bug40432.phpt
new file mode 100644 (file)
index 0000000..6db2e94
--- /dev/null
+++ b/ext/standard/tests/strings/bug40432.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #40432 (strip_tags() fails with greater than in attribute)
+--FILE--
+<?php
+echo strip_tags('<span title="test > all">this</span>') . "\n";
+?>
+--EXPECT--
+this