php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #15972 strip_tags should allow restricting the attributes on tags that are kept
Submitted: 2002-03-09 11:56 UTC Modified: 2017-10-23 01:01 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rn214 at cam dot ac dot uk Assigned:
Status: Analyzed Package: Strings related
PHP Version: * OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-03-09 11:56 UTC] rn214 at cam dot ac dot uk
The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits:

<b onclick="javascript.document.location='http://www.evil.com';">

That's not so nice !

Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty.

I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary.

Thanks a lot

Richard

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-09 12:08 UTC] rn214 at cam dot ac dot uk
Oops - that should be 

...javascript:document...
 [2002-05-02 16:10 UTC] jimw@php.net
rewrote the summary. it would be nice if the syntax were something like: strip_tags($text, "a[href,target],br,p")
 [2010-11-19 00:05 UTC] jani@php.net
-Package: Feature/Change Request +Package: Strings related -Operating System: Linux +Operating System: * -PHP Version: 4.0.6 +PHP Version: *
 [2017-10-23 01:01 UTC] kalle@php.net
-Status: Open +Status: Analyzed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC