php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78814 strip_tags allows / in tag name, allowing whitelist bypass in browsers
Submitted: 2019-11-14 12:16 UTC Modified: 2019-12-02 10:41 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: talkemade at computest dot nl Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.3.11 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: talkemade at computest dot nl
New email:
PHP Version: OS:

 

 [2019-11-14 12:16 UTC] talkemade at computest dot nl
Description:
------------
When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.

For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.

The browsers Chrome, Firefox and Safari, however, interpret this syntax as <s trong=""> (in HTML this would result in a strikethrough element with an unknown attribute). This means that it's possible to use any tag which is a prefix of a tag that is whitelisted. If the whitelist is important for security then this can allow the introduction of non-whitelisted tags.

Test script:
---------------
<?php

echo strip_tags("<s/trong>b</strong>", "<strong>");

Expected result:
----------------
b

Actual result:
--------------
<s/trong>b</strong>

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-14 14:59 UTC] cmb@php.net
> If the whitelist is important for security […]

Then the program makes a wrong assumption.
 [2019-11-17 13:18 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2019-11-17 13:18 UTC] cmb@php.net
Okay, lets consult the docs[1]:

| This function should not be used to try to prevent XSS attacks.

So this is clearly not a security issue.  I agree, though, that
the reported behavior is erroneous, but would expect the following
output

    b</strong>

[1] <https://www.php.net/strip_tags>
 [2019-11-17 13:23 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78814: strip_tags allows / in tag name => whitelist bypass
On GitHub:  https://github.com/php/php-src/pull/4923
Patch:      https://github.com/php/php-src/pull/4923.patch
 [2019-11-17 13:29 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2019-12-02 10:40 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=600f1f898f9771d13880255e74ea1c10590f5fd5
Log: Fix #78814: strip_tags allows / in tag name =&gt; whitelist bypass
 [2019-12-02 10:40 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-12-02 10:41 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Oct 21 16:01:24 2020 UTC