|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #77059 strip_tags fails to properly remove tags with whitespaces
Submitted: 2018-10-25 13:15 UTC Modified: 2019-05-15 21:10 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: alex at buayacorp dot com Assigned: peehaa (profile)
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: debian wheezy
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
6 + 12 = ?
Subscribe to this entry?

 [2018-10-25 13:15 UTC] alex at buayacorp dot com
Since PHP 4.3.2 release ([1], [2]), strip_tags seems to skip (until the next < character) whatever comes next if the sequence `< ` (<+whitespace) is found. This seems somewhat problematic for some PHP applications that rely on this function as a way to remove unwanted html tags and which might also lead to XSS issues.

If there's no intention to fix this, I guess a security warning note should likely be used in the documentation page.


Test script:

var_dump(strip_tags('< img src=x onerror=alert(1)>hola< script >alert(1)'));

Expected result:
string(12) "holaalert(1)"

Actual result:
string(51) "< img src=x onerror=alert(1)>hola< script >alert(1)"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-25 13:33 UTC] alex at buayacorp dot com
`filter_var( ..., FILTER_SANITIZE_STRING );` seems to call the underlying php_strip_tags_ex function with an appropriate `allow_tag_spaces` value
 [2018-10-25 19:45 UTC] alex at buayacorp dot com
It looks like this might be an invalid issue after all. (Valid) HTML tags can't have whitespaces after the < character. Although it's somewhat interesting that FILTER_SANITIZE_STRING is a little bit more stricter.

There was another code in play in the original PHP application I was looking at that was fixing the formatting of the resulting string after the strip_tags call. Please feel free to close this ticket as invalid, and sorry for the false positive.
 [2018-10-26 08:14 UTC]
-Type: Security +Type: Documentation Problem -Package: *General Issues +Package: Strings related
 [2018-10-26 08:14 UTC]
> (Valid) HTML tags can't have whitespaces after the < character.


Anyhow, strip_tags() is not the appropriate way to eliminate XSS
vulnerabilites[1].  This should be documented in the manual.

[1] <>
 [2019-05-15 21:10 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: peehaa
 [2019-05-15 21:10 UTC]
Added warning to the docs that strip_tags should not be used to prevent xss attacks.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 01 12:01:29 2024 UTC