PHP :: Doc Bug #77059 :: strip_tags fails to properly remove tags with whitespaces

strip_tags fails to properly remove tags with whitespaces

Submitted:

2018-10-25 13:15 UTC

Modified:

2019-05-15 21:10 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

alex at buayacorp dot com

Assigned:

peehaa (profile)

Status:

Closed

Package:

Strings related

PHP Version:

Irrelevant

OS:

debian wheezy

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	alex at buayacorp dot com
New email:
PHP Version:		OS:

New Comment:

[2018-10-25 13:15 UTC] alex at buayacorp dot com

Description:
------------
Since PHP 4.3.2 release ([1], [2]), strip_tags seems to skip (until the next < character) whatever comes next if the sequence `< ` (<+whitespace) is found. This seems somewhat problematic for some PHP applications that rely on this function as a way to remove unwanted html tags and which might also lead to XSS issues.

If there's no intention to fix this, I guess a security warning note should likely be used in the documentation page.

[1] https://3v4l.org/lNrL4
[2] https://github.com/php/php-src/commit/d9afe5c129ac7ff55f150f8263e71b2d5d4c5544

Test script:
---------------
<?php

var_dump(strip_tags('< img src=x onerror=alert(1)>hola< script >alert(1)'));

Expected result:
----------------
string(12) "holaalert(1)"

Actual result:
--------------
string(51) "< img src=x onerror=alert(1)>hola< script >alert(1)"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-25 13:33 UTC] alex at buayacorp dot com

`filter_var( ..., FILTER_SANITIZE_STRING );` seems to call the underlying php_strip_tags_ex function with an appropriate `allow_tag_spaces` value https://github.com/php/php-src/blob/db47e35373513705b84b7391ed25e9854308eef2/ext/filter/sanitizing_filters.c#L212

[2018-10-25 19:45 UTC] alex at buayacorp dot com

It looks like this might be an invalid issue after all. (Valid) HTML tags can't have whitespaces after the < character. Although it's somewhat interesting that FILTER_SANITIZE_STRING is a little bit more stricter.

There was another code in play in the original PHP application I was looking at that was fixing the formatting of the resulting string after the strip_tags call. Please feel free to close this ticket as invalid, and sorry for the false positive.

[2018-10-26 08:14 UTC] cmb@php.net

-Type: Security +Type: Documentation Problem -Package: *General Issues +Package: Strings related

[2018-10-26 08:14 UTC] cmb@php.net

> (Valid) HTML tags can't have whitespaces after the < character.

That.

Anyhow, strip_tags() is not the appropriate way to eliminate XSS
vulnerabilites[1].  This should be documented in the manual.

[1] <http://news.php.net/php.internals/102462>

[2019-05-15 21:10 UTC] peehaa@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: peehaa

[2019-05-15 21:10 UTC] peehaa@php.net

Added warning to the docs that strip_tags should not be used to prevent xss attacks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 15 07:01:29 2025 UTC