php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78814 strip_tags allows / in tag name, allowing whitelist bypass in browsers
Submitted: 2019-11-14 12:16 UTC Modified: 2019-12-02 10:41 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: talkemade at computest dot nl Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.3.11 OS: all
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: talkemade at computest dot nl
New email:
PHP Version: OS:

 

 [2019-11-14 12:16 UTC] talkemade at computest dot nl
Description:
------------
When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.

For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.

The browsers Chrome, Firefox and Safari, however, interpret this syntax as <s trong=""> (in HTML this would result in a strikethrough element with an unknown attribute). This means that it's possible to use any tag which is a prefix of a tag that is whitelisted. If the whitelist is important for security then this can allow the introduction of non-whitelisted tags.

Test script:
---------------
<?php

echo strip_tags("<s/trong>b</strong>", "<strong>");

Expected result:
----------------
b

Actual result:
--------------
<s/trong>b</strong>

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-14 14:59 UTC] cmb@php.net
> If the whitelist is important for security […]

Then the program makes a wrong assumption.
 [2019-11-17 13:18 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2019-11-17 13:18 UTC] cmb@php.net
Okay, lets consult the docs[1]:

| This function should not be used to try to prevent XSS attacks.

So this is clearly not a security issue.  I agree, though, that
the reported behavior is erroneous, but would expect the following
output

    b</strong>

[1] <https://www.php.net/strip_tags>
 [2019-11-17 13:23 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78814: strip_tags allows / in tag name => whitelist bypass
On GitHub:  https://github.com/php/php-src/pull/4923
Patch:      https://github.com/php/php-src/pull/4923.patch
 [2019-11-17 13:29 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-12-02 10:40 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=600f1f898f9771d13880255e74ea1c10590f5fd5
Log: Fix #78814: strip_tags allows / in tag name =&gt; whitelist bypass
 [2019-12-02 10:40 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-12-02 10:41 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC