PHP :: Bug #78814 :: strip_tags allows / in tag name, allowing whitelist bypass in browsers

Bug #78814

strip_tags allows / in tag name, allowing whitelist bypass in browsers

Submitted:

2019-11-14 12:16 UTC

Modified:

2019-12-02 10:41 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

talkemade at computest dot nl

Assigned:

cmb (profile)

Status:

Closed

Package:

Strings related

PHP Version:

7.3.11

OS:

all

Private report:

CVE-ID:

None

View Developer Edit

[2019-11-14 12:16 UTC] talkemade at computest dot nl

Description:
------------
When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.

For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.

The browsers Chrome, Firefox and Safari, however, interpret this syntax as <s trong=""> (in HTML this would result in a strikethrough element with an unknown attribute). This means that it's possible to use any tag which is a prefix of a tag that is whitelisted. If the whitelist is important for security then this can allow the introduction of non-whitelisted tags.

Test script:
---------------
<?php

echo strip_tags("<s/trong>b</strong>", "<strong>");

Expected result:
----------------
b

Actual result:
--------------
<s/trong>b</strong>

Patches

Pull Requests

Pull requests:

Fix #78814: strip_tags allows / in tag name => whitelist bypass (php-src/4923)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-11-14 14:59 UTC] cmb@php.net

> If the whitelist is important for security […]

Then the program makes a wrong assumption.

[2019-11-17 13:18 UTC] cmb@php.net

-Type: Security +Type: Bug

[2019-11-17 13:18 UTC] cmb@php.net

Okay, lets consult the docs[1]:

| This function should not be used to try to prevent XSS attacks.

So this is clearly not a security issue.  I agree, though, that
the reported behavior is erroneous, but would expect the following
output

    b</strong>

[1] <https://www.php.net/strip_tags>

[2019-11-17 13:23 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #78814: strip_tags allows / in tag name => whitelist bypass
On GitHub:  https://github.com/php/php-src/pull/4923
Patch:      https://github.com/php/php-src/pull/4923.patch

[2019-11-17 13:29 UTC] cmb@php.net

-Status: Open +Status: Verified

[2019-12-02 10:40 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=600f1f898f9771d13880255e74ea1c10590f5fd5
Log: Fix #78814: strip_tags allows / in tag name =&gt; whitelist bypass

[2019-12-02 10:40 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2019-12-02 10:41 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC