force_balance_tags() gets mixed up with < and numbers

[feedr]

The function mentioned above (in formatting.php) will produce incorrect output when the entered text contains < followed by a number.
If you enter "3 < 5 here may be some text <a href="#">and a link</a> and some more text", the closing </a> will be omitted.
The problem here is the regex <(\/?\w*)\s*([^{>]*)>. When changed to <(\/?\w+)\s*([}>]*)> the output will be as expected.

[feedr]

Edit: WikiFormatting got messed up

Old regex:

<(\/?\w*)\s*([^>]*)>

New regex:

<(\/?\w+)\s*([^>]*)>

[Viper007Bond]

Doesn't have a patch per se, but it does have a fix. :)

[Denis-de-Bernardy]

Patch should even allow things like foo < bar, provided that a space follows the <.

The "real" issue, however, is not fixed. That < should get turned into (or be written from the onset as) &lt;.

[Denis-de-Bernardy]

patching this can potentially introduce issues like foo < script src=evil.js

punting to future.

[Denis-de-Bernardy]

This should probably be closed as wontfix, imo. There's far too much potential to break things here, no matter what the solution we try.

[scribu]

Replying to Denis-de-Bernardy:

This should probably be closed as wontfix, imo. There's far too much potential to break things here, no matter what the solution we try.

Agreed.

What if I want to write 3<5 (without the spaces)?

What if I have a variable 'a' and I need to write 3<a ?

The correct way to write it would be 3&lt;a.