false positive 'aaa<bbb'

[revelt]

hi guys,

check this out:

var striptags = require("striptags")
console.log(striptags('aaa<bbb'))
// => aaa

See this on Runkit: https://runkit.com/embed/nfxue95dyxv5

This is wrong isn't it?

[ericnorris]

@revelt thanks for reporting! I would not consider this incorrect behavior for three reasons.

One, since the text does not close the opening tag, it is still dangerous HTML. Imagine this:

var striptags = require("striptags")

stripped_input = striptags('aaa<script src="blah" ');

console.log(stripped_input + other_html);

If striptags did not remove the unclosed script tag, then the resulting output could execute JavaScript. Since striptags is a state machine, it will unequivocally remove anything that appears to be a tag.

Two, that < should be HTML-encoded if it is truly plaintext.

Finally, the third reason is that PHP does it this way as well. You can see the behavior yourself here.

[revelt]

I see your points. The main difference between our thinking is I assume nothing from the input string, it can or can't be HTML, it can be encoded or not. I came looking for a stripping library with these expectations and obviously they didn't match :) I guess I'll have to code up my own library that does what I need. Anyway, thank you for prompt investigation and resolve.