|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #15972 strip_tags should allow restricting the attributes on tags that are kept
Submitted: 2002-03-09 11:56 UTC Modified: 2017-10-23 01:01 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rn214 at cam dot ac dot uk Assigned:
Status: Analyzed Package: Strings related
PHP Version: * OS: *
Private report: No CVE-ID: None
Bug Type:
From: rn214 at cam dot ac dot uk
New email:
PHP Version: OS:


 [2002-03-09 11:56 UTC] rn214 at cam dot ac dot uk
The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits:

<b onclick="javascript.document.location='';">

That's not so nice !

Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty.

I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary.

Thanks a lot



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-09 12:08 UTC] rn214 at cam dot ac dot uk
Oops - that should be 

 [2002-05-02 16:10 UTC]
rewrote the summary. it would be nice if the syntax were something like: strip_tags($text, "a[href,target],br,p")
 [2010-11-19 00:05 UTC]
-Package: Feature/Change Request +Package: Strings related -Operating System: Linux +Operating System: * -PHP Version: 4.0.6 +PHP Version: *
 [2017-10-23 01:01 UTC]
-Status: Open +Status: Analyzed
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC