PHP :: Bug #78814 :: strip_tags allows / in tag name, allowing whitelist bypass in browsers

Bug #78814

strip_tags allows / in tag name, allowing whitelist bypass in browsers

Submitted:

2019-11-14 12:16 UTC

Modified:

2019-12-02 10:41 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

talkemade at computest dot nl

Assigned:

cmb (profile)

Status:

Closed

Package:

Strings related

PHP Version:

7.3.11

OS:

all

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	talkemade at computest dot nl
New email:
PHP Version:		OS:

New Comment:

[2019-11-14 12:16 UTC] talkemade at computest dot nl

Description:
------------
When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.

For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.

The browsers Chrome, Firefox and Safari, however, interpret this syntax as <s trong=""> (in HTML this would result in a strikethrough element with an unknown attribute). This means that it's possible to use any tag which is a prefix of a tag that is whitelisted. If the whitelist is important for security then this can allow the introduction of non-whitelisted tags.

Test script:
---------------
<?php

echo strip_tags("<s/trong>b</strong>", "<strong>");

Expected result:
----------------
b

Actual result:
--------------
<s/trong>b</strong>

Patches

Pull Requests

Pull requests:

Fix #78814: strip_tags allows / in tag name => whitelist bypass (php-src/4923)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-11-14 14:59 UTC] cmb@php.net

> If the whitelist is important for security […]

Then the program makes a wrong assumption.

[2019-11-17 13:18 UTC] cmb@php.net

-Type: Security +Type: Bug

[2019-11-17 13:18 UTC] cmb@php.net

Okay, lets consult the docs[1]:

| This function should not be used to try to prevent XSS attacks.

So this is clearly not a security issue.  I agree, though, that
the reported behavior is erroneous, but would expect the following
output

    b</strong>

[1] <https://www.php.net/strip_tags>

[2019-11-17 13:23 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #78814: strip_tags allows / in tag name => whitelist bypass
On GitHub:  https://github.com/php/php-src/pull/4923
Patch:      https://github.com/php/php-src/pull/4923.patch

[2019-11-17 13:29 UTC] cmb@php.net

-Status: Open +Status: Verified

[2019-12-02 10:40 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=600f1f898f9771d13880255e74ea1c10590f5fd5
Log: Fix #78814: strip_tags allows / in tag name =&gt; whitelist bypass

[2019-12-02 10:40 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2019-12-02 10:41 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC