php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #15972 strip_tags should allow restricting the attributes on tags that are kept
Submitted: 2002-03-09 11:56 UTC Modified: 2021-05-26 19:20 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:3 of 4 (75.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: rn214 at cam dot ac dot uk Assigned:
Status: Wont fix Package: Strings related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
41 + 27 = ?
Subscribe to this entry?

 
 [2002-03-09 11:56 UTC] rn214 at cam dot ac dot uk
The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits:

<b onclick="javascript.document.location='http://www.evil.com';">

That's not so nice !

Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty.

I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary.

Thanks a lot

Richard

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-09 12:08 UTC] rn214 at cam dot ac dot uk
Oops - that should be 

...javascript:document...
 [2002-05-02 16:10 UTC] jimw@php.net
rewrote the summary. it would be nice if the syntax were something like: strip_tags($text, "a[href,target],br,p")
 [2010-11-19 00:05 UTC] jani@php.net
-Package: Feature/Change Request +Package: Strings related -Operating System: Linux +Operating System: * -PHP Version: 4.0.6 +PHP Version: *
 [2017-10-23 01:01 UTC] kalle@php.net
-Status: Open +Status: Analyzed
 [2021-05-26 19:20 UTC] krakjoe@php.net
-Status: Analyzed +Status: Wont fix
 [2021-05-26 19:20 UTC] krakjoe@php.net
In the 19 years since this feature request was made, no implementation has been proposed.

I'm closing this as won't fix, as that seems to more accurately represent the status of this request.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jul 24 03:01:23 2021 UTC