php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #15972 strip_tags should allow restricting the attributes on tags that are kept
Submitted: 2002-03-09 11:56 UTC Modified: 2017-10-23 01:01 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:3 of 4 (75.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rn214 at cam dot ac dot uk Assigned:
Status: Analyzed Package: Strings related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: rn214 at cam dot ac dot uk
New email:
PHP Version: OS:

 

 [2002-03-09 11:56 UTC] rn214 at cam dot ac dot uk 
The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits:

<b onclick="javascript.document.location='http://www.evil.com';">

That's not so nice !

Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty.

I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary.

Thanks a lot

Richard

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-09 12:08 UTC] rn214 at cam dot ac dot uk 
Oops - that should be 

...javascript:document...
 [2002-05-02 16:10 UTC] jimw@php.net 
rewrote the summary. it would be nice if the syntax were something like: strip_tags($text, "a[href,target],br,p")
 [2010-11-19 00:05 UTC] jani@php.net
-Package: Feature/Change Request +Package: Strings related -Operating System: Linux +Operating System: * -PHP Version: 4.0.6 +PHP Version: *
 [2017-10-23 01:01 UTC] kalle@php.net
-Status: Open +Status: Analyzed
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved. 		Last updated: Sat Jan 18 06:01:23 2020 UTC