From 103b8c33c0e70f75d5374d72aae42533b23ee4d8 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 13 Feb 2007 02:16:22 +0000
Subject: [PATCH] Fixed bug #40432 (strip_tags() fails with greater than in
 attribute).

---
 NEWS                                     |  1 +
 ext/standard/string.c                    | 13 ++++++++++---
 ext/standard/tests/strings/bug40432.phpt |  8 ++++++++
 3 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 ext/standard/tests/strings/bug40432.phpt

diff --git a/NEWS b/NEWS
index 9530c3f9ab..9e0832829b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - Upgraded PCRE to version 7.0 (Nuno)
 - Add --ri switch to CLI which allows to check extension information. (Marcus)
 - Added tidyNode::getParent() method (John, Nuno)
+- Fixed bug #40432 (strip_tags() fails with greater than in attribute). (Ilia)
 - Fixed bug #40431 (dynamic properties may cause crash in ReflectionProperty 
   methods). (Tony)
 - Fixed bug #40428 (imagepstext() doesn't accept optional parameter). (Pierre)
diff --git a/ext/standard/string.c b/ext/standard/string.c
index aec6624b65..335cb64d5c 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4130,7 +4130,7 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in
 PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, int allow_len, zend_bool allow_tag_spaces)
 {
 	char *tbuf, *buf, *p, *tp, *rp, c, lc;
-	int br, i=0, depth=0;
+	int br, i=0, depth=0, in_q = 0;
 	int state = 0;
 
 	if (stateptr)
@@ -4164,7 +4164,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 					if (allow) {
 						tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 						*(tp++) = '<';
-					}
+				 	}
 				} else if (state == 1) {
 					depth++;
 				}
@@ -4203,7 +4203,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 					depth--;
 					break;
 				}
-			
+
+				if (in_q) {
+					break;
+				}
+
 				switch (state) {
 					case 1: /* HTML/XML */
 						lc = '>';
@@ -4259,6 +4263,9 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 					tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
 					*(tp++) = c;
 				}
+				if (*(p-1) != '\\') {
+					in_q = !in_q;
+				}
 				break;
 			
 			case '!': 
diff --git a/ext/standard/tests/strings/bug40432.phpt b/ext/standard/tests/strings/bug40432.phpt
new file mode 100644
index 0000000000..6db2e94e58
--- /dev/null
+++ b/ext/standard/tests/strings/bug40432.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #40432 (strip_tags() fails with greater than in attribute)
+--FILE--
+<?php
+echo strip_tags('<span title="test > all">this</span>') . "\n";
+?>
+--EXPECT--
+this
-- 
2.40.0