Fix bug #80565

[BruceGitHub]

This Pr point to resolve this bug
https://bugs.php.net/bug.php?id=80565

related for another version:
https://bugs.php.net/bug.php?id=74371
#3570

Originally created for PHP 7.1.3 but still present also in PHP 8/master.
https://3v4l.org/4Yaoj

Like the comment of the original PR, I followed the solution (for security aspects) of encoding the '<' and '>' instead of allowed. Because misuse of this function seems a more pragmatic approach.

The code of PHP 8 it's more readable ma still complex to manage. For this, I chose this approach.

Another solution may refactor the entire function. To allow the internal "state machine" to
know which context it's and change behavior based on this know-how for example.
This solution requires more effort.

To improve the readability I chose to use a macro I don't know if this choice follows the best practices
or the coding standard if not I can convert it to a static function.

For last if this PR it's appreciated, I can try to fix also the previous version like 7.x.

This it's my first PR for this repo so sorry if it does not respect the standard flow.

My apologies but It's been a long time since I wrote code in c. If need I try to improve the quality of code

[cmb69]

Thanks for the PR! Apparently, the test case is failing; can you please have a look?

[BruceGitHub]

Thanks for the PR! Apparently, the test case is failing; can you please have a look?

Yes, but I not understood which it's the cause... I looking at che code to spot the problem.
The test that I pushed are green ...
So maybe some other related stuff...

[cmb69]

bugXXX.phpt is failing on AppVeyor as well as on Azure pipelines

[BruceGitHub]

bugXXX.phpt is failing on AppVeyor as well as on Azure pipelines

Uh thanks! I try to fix

[carusogabriel]

Is this a fix for PHP 8.0.X? If so, please rebase this PR on top of the PHP-8.0 branch, not the master :)

[cmb69]

strip_tags() strips < and > signs from attribute values since 5.2.7. However, it apparently never got it quite right. Considering that strip_tags() is doubtful per se, and that it is not rarely used to prevent XSS (although it is not meant for that purpose), I would be reluctant to fix it for stable versions (if at all).

[BruceGitHub]

strip_tags() strips < and > signs from attribute values since 5.2.7. However, it apparently never got it quite right. Considering that strip_tags() is doubtful per se, and that it is not rarely used to prevent XSS (although it is not meant for that purpose), I would be reluctant to fix it for stable versions (if at all).

Mm ok so I think to close PR ? Or not ?

[cmb69]

If you find a good solution, in my opionion, it's fine for "master". :)

[BruceGitHub]

The pipe is passed now. But I found a strange behavior. Soon I push a test...

[BruceGitHub]

btw this test don't pass

--TEST--
Bug #XXXXX: strip_tags strip >< in attributes with allow tag
--FILE--
<?php

echo strip_tags('<ta alt="abc< " >', '<ta>').\PHP_EOL;
echo strip_tags('<ta alt="abc> " >', '<ta>').\PHP_EOL;
echo strip_tags('<t y="1< 2< 3< 4< 5< 6< 7< 8< 9< 10<" />', '<t>').\PHP_EOL;
?>
--EXPECT--
<ta alt="abc&lt; " >
<ta alt="abc&gt; " >
<t y="1&lt; 2&lt; 3&lt; 4&lt; 5&lt; 6&lt; 7&lt; 8&lt; 9&lt; 10&lt;" />

The problems it's with the original buffer allocated with the size of the initial input. This function it's written to decrease the size of the buffer
with this change instead the size increase.

I worked a lot to solve.

First, I tried with a solution like the first PR (but realloc not work with zend_string or I didn't succeed).
For me the best solutions it's put in signature zend_string * then zend_string_extends when we need to resize the buffer
then remove char *.
But I deal with a memory leak.
These days I try to solve...

[BruceGitHub]

Ole! Now all green!

[BruceGitHub]

I must resolve conflicts ...