PHP :: Doc Bug #77059 :: strip_tags fails to properly remove tags with whitespaces

strip_tags fails to properly remove tags with whitespaces

Submitted:

2018-10-25 13:15 UTC

Modified:

2019-05-15 21:10 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

alex at buayacorp dot com

Assigned:

peehaa (profile)

Status:

Closed

Package:

Strings related

PHP Version:

Irrelevant

OS:

debian wheezy

Private report:

CVE-ID:

None

View Developer Edit

[2018-10-25 13:15 UTC] alex at buayacorp dot com

Description:
------------
Since PHP 4.3.2 release ([1], [2]), strip_tags seems to skip (until the next < character) whatever comes next if the sequence `< ` (<+whitespace) is found. This seems somewhat problematic for some PHP applications that rely on this function as a way to remove unwanted html tags and which might also lead to XSS issues.

If there's no intention to fix this, I guess a security warning note should likely be used in the documentation page.

[1] https://3v4l.org/lNrL4
[2] https://github.com/php/php-src/commit/d9afe5c129ac7ff55f150f8263e71b2d5d4c5544

Test script:
---------------
<?php

var_dump(strip_tags('< img src=x onerror=alert(1)>hola< script >alert(1)'));

Expected result:
----------------
string(12) "holaalert(1)"

Actual result:
--------------
string(51) "< img src=x onerror=alert(1)>hola< script >alert(1)"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-25 13:33 UTC] alex at buayacorp dot com

`filter_var( ..., FILTER_SANITIZE_STRING );` seems to call the underlying php_strip_tags_ex function with an appropriate `allow_tag_spaces` value https://github.com/php/php-src/blob/db47e35373513705b84b7391ed25e9854308eef2/ext/filter/sanitizing_filters.c#L212

[2018-10-25 19:45 UTC] alex at buayacorp dot com

It looks like this might be an invalid issue after all. (Valid) HTML tags can't have whitespaces after the < character. Although it's somewhat interesting that FILTER_SANITIZE_STRING is a little bit more stricter.

There was another code in play in the original PHP application I was looking at that was fixing the formatting of the resulting string after the strip_tags call. Please feel free to close this ticket as invalid, and sorry for the false positive.

[2018-10-26 08:14 UTC] cmb@php.net

-Type: Security +Type: Documentation Problem -Package: *General Issues +Package: Strings related

[2018-10-26 08:14 UTC] cmb@php.net

> (Valid) HTML tags can't have whitespaces after the < character.

That.

Anyhow, strip_tags() is not the appropriate way to eliminate XSS
vulnerabilites[1].  This should be documented in the manual.

[1] <http://news.php.net/php.internals/102462>

[2019-05-15 21:10 UTC] peehaa@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: peehaa

[2019-05-15 21:10 UTC] peehaa@php.net

Added warning to the docs that strip_tags should not be used to prevent xss attacks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 15 07:01:29 2025 UTC