Spaces in attributes

Attributes such as 'title' and 'alt' often need to legitimately have spaces in them but InputFilter automatically strips spaces from all attributes. Does anyone have a fix to prevent spaces being stripped from these attributes?

Are there circumstances where spaces in attributes compromise security, or are they removed simply for cosmetic purposes?

Anyone got a solution yet?

I sussed it!

Line 95, change:

while($tagOpen_start !== FALSE) {

to

while($tagOpen_start > 0) {

Line 140, change:

while ($currentSpace !== FALSE) {

to

while ($currentSpace > 0) {

... Don't ask me why, according to PHP specs the strpos should return boolean false on fail but this seems to work :)

BTW, thanks Daniel, this is one of my favourite classes!

Don't apply this "fix"

If you change the two lines of code, as suggested, the script now longer filters out XSS attacks and event handlers.

Good spotting John, well I have no more ideas how to fix it then. I have devised my own class based on phpQuery which can parse HTML stripping tags and attributes by whitelist/blacklist. It has been submitted for approval and should be available in a few days.

In function filterAttr($attrSet), change the following:

// strip normal newline within attr value
$attrSubSet[1] = preg_replace('/\s+/', '', $attrSubSet[1]);

to

// strip normal newline within attr value
/* changed to allow single spaces in attrs */
$attrSubSet[1] = preg_replace('/\s+/', ' ', $attrSubSet[1]);

The standard comment is a little misleading, since the standard line of code strips all spaces. The modification collapses all spaces to one space.