php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #77059 strip_tags fails to properly remove tags with whitespaces
Submitted: 2018-10-25 13:15 UTC Modified: 2018-10-26 08:14 UTC
From: alex at buayacorp dot com Assigned:
Status: Open Package: Strings related
PHP Version: Irrelevant OS: debian wheezy
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: alex at buayacorp dot com
New email:
PHP Version: OS:

 

 [2018-10-25 13:15 UTC] alex at buayacorp dot com
Description:
------------
Since PHP 4.3.2 release ([1], [2]), strip_tags seems to skip (until the next < character) whatever comes next if the sequence `< ` (<+whitespace) is found. This seems somewhat problematic for some PHP applications that rely on this function as a way to remove unwanted html tags and which might also lead to XSS issues.

If there's no intention to fix this, I guess a security warning note should likely be used in the documentation page.

[1] https://3v4l.org/lNrL4
[2] https://github.com/php/php-src/commit/d9afe5c129ac7ff55f150f8263e71b2d5d4c5544

Test script:
---------------
<?php

var_dump(strip_tags('< img src=x onerror=alert(1)>hola< script >alert(1)'));

Expected result:
----------------
string(12) "holaalert(1)"

Actual result:
--------------
string(51) "< img src=x onerror=alert(1)>hola< script >alert(1)"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-25 13:33 UTC] alex at buayacorp dot com
`filter_var( ..., FILTER_SANITIZE_STRING );` seems to call the underlying php_strip_tags_ex function with an appropriate `allow_tag_spaces` value https://github.com/php/php-src/blob/db47e35373513705b84b7391ed25e9854308eef2/ext/filter/sanitizing_filters.c#L212
 [2018-10-25 19:45 UTC] alex at buayacorp dot com
It looks like this might be an invalid issue after all. (Valid) HTML tags can't have whitespaces after the < character. Although it's somewhat interesting that FILTER_SANITIZE_STRING is a little bit more stricter.

There was another code in play in the original PHP application I was looking at that was fixing the formatting of the resulting string after the strip_tags call. Please feel free to close this ticket as invalid, and sorry for the false positive.
 [2018-10-26 08:14 UTC] cmb@php.net
-Type: Security +Type: Documentation Problem -Package: *General Issues +Package: Strings related
 [2018-10-26 08:14 UTC] cmb@php.net
> (Valid) HTML tags can't have whitespaces after the < character.

That.

Anyhow, strip_tags() is not the appropriate way to eliminate XSS
vulnerabilites[1].  This should be documented in the manual.

[1] <http://news.php.net/php.internals/102462>
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 19 02:01:25 2018 UTC