Login   Register  
PHP Classes
elePHPant
Icontem

Spaces in attributes

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      PHP Input Filter  >  All threads  >  Spaces in attributes  >  (Un) Subscribe thread alerts  
Subject:Spaces in attributes
Summary:Problem with spaces being stripped from attributes
Messages:7
Author:John
Date:2006-09-29 12:53:13
Update:2009-07-28 14:09:54
 

  1. Spaces in attributes   Reply  
Picture of John
John
2006-09-29 12:53:13
Attributes such as 'title' and 'alt' often need to legitimately have spaces in them but InputFilter automatically strips spaces from all attributes. Does anyone have a fix to prevent spaces being stripped from these attributes?

Are there circumstances where spaces in attributes compromise security, or are they removed simply for cosmetic purposes?

  2. Re: Spaces in attributes   Reply  
Picture of Tijmen Crone
Tijmen Crone
2007-03-05 13:43:45 - In reply to message 1 from John
Anyone got a solution yet?

  3. Re: Spaces in attributes   Reply  
Picture of Anthony Gallon
Anthony Gallon
2009-03-12 04:30:14 - In reply to message 2 from Tijmen Crone
I sussed it!

Line 95, change:

while($tagOpen_start !== FALSE) {

to

while($tagOpen_start > 0) {

Line 140, change:

while ($currentSpace !== FALSE) {

to

while ($currentSpace > 0) {

... Don't ask me why, according to PHP specs the strpos should return boolean false on fail but this seems to work :)

  4. Re: Spaces in attributes   Reply  
Picture of Anthony Gallon
Anthony Gallon
2009-03-12 04:33:30 - In reply to message 3 from Anthony Gallon
BTW, thanks Daniel, this is one of my favourite classes!

  5. Re: Spaces in attributes   Reply  
Picture of John Keene
John Keene
2009-05-30 03:27:20 - In reply to message 4 from Anthony Gallon
Don't apply this "fix"

If you change the two lines of code, as suggested, the script now longer filters out XSS attacks and event handlers.

  6. Re: Spaces in attributes   Reply  
Picture of Anthony Gallon
Anthony Gallon
2009-06-02 00:49:42 - In reply to message 5 from John Keene
Good spotting John, well I have no more ideas how to fix it then. I have devised my own class based on phpQuery which can parse HTML stripping tags and attributes by whitelist/blacklist. It has been submitted for approval and should be available in a few days.

  7. Re: Spaces in attributes   Reply  
Picture of Mike Weissbluth
Mike Weissbluth
2009-07-28 14:09:54 - In reply to message 6 from Anthony Gallon
In function filterAttr($attrSet), change the following:

// strip normal newline within attr value
$attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);

to

// strip normal newline within attr value
/* changed to allow single spaces in attrs */
$attrSubSet[1] = preg_replace('/\s+/', ' ', $attrSubSet[1]);

The standard comment is a little misleading, since the standard line of code strips all spaces. The modification collapses all spaces to one space.