go to bug id or search bugs for
Since PHP 4.3.2 release (, ), strip_tags seems to skip (until the next < character) whatever comes next if the sequence `< ` (<+whitespace) is found. This seems somewhat problematic for some PHP applications that rely on this function as a way to remove unwanted html tags and which might also lead to XSS issues.
If there's no intention to fix this, I guess a security warning note should likely be used in the documentation page.
var_dump(strip_tags('< img src=x onerror=alert(1)>hola< script >alert(1)'));
string(51) "< img src=x onerror=alert(1)>hola< script >alert(1)"
Add a Patch
Add a Pull Request
`filter_var( ..., FILTER_SANITIZE_STRING );` seems to call the underlying php_strip_tags_ex function with an appropriate `allow_tag_spaces` value https://github.com/php/php-src/blob/db47e35373513705b84b7391ed25e9854308eef2/ext/filter/sanitizing_filters.c#L212
It looks like this might be an invalid issue after all. (Valid) HTML tags can't have whitespaces after the < character. Although it's somewhat interesting that FILTER_SANITIZE_STRING is a little bit more stricter.
There was another code in play in the original PHP application I was looking at that was fixing the formatting of the resulting string after the strip_tags call. Please feel free to close this ticket as invalid, and sorry for the false positive.
> (Valid) HTML tags can't have whitespaces after the < character.
Anyhow, strip_tags() is not the appropriate way to eliminate XSS
vulnerabilites. This should be documented in the manual.
Added warning to the docs that strip_tags should not be used to prevent xss attacks.