|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78814 strip_tags allows / in tag name, allowing whitelist bypass in browsers
Submitted: 2019-11-14 12:16 UTC Modified: 2019-12-02 10:41 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: talkemade at computest dot nl Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.3.11 OS: all
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: talkemade at computest dot nl
New email:
PHP Version: OS:


 [2019-11-14 12:16 UTC] talkemade at computest dot nl
When strip_tags is used with a whitelist of tags, php allows slashes ("/") that occur inside the name of a whitelisted tag and copies them to the result.

For example, if <strong> is whitelisted, then a tag <s/trong> is also kept.

The browsers Chrome, Firefox and Safari, however, interpret this syntax as <s trong=""> (in HTML this would result in a strikethrough element with an unknown attribute). This means that it's possible to use any tag which is a prefix of a tag that is whitelisted. If the whitelist is important for security then this can allow the introduction of non-whitelisted tags.

Test script:

echo strip_tags("<s/trong>b</strong>", "<strong>");

Expected result:

Actual result:


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-14 14:59 UTC]
> If the whitelist is important for security […]

Then the program makes a wrong assumption.
 [2019-11-17 13:18 UTC]
-Type: Security +Type: Bug
 [2019-11-17 13:18 UTC]
Okay, lets consult the docs[1]:

| This function should not be used to try to prevent XSS attacks.

So this is clearly not a security issue.  I agree, though, that
the reported behavior is erroneous, but would expect the following


[1] <>
 [2019-11-17 13:23 UTC]
The following pull request has been associated:

Patch Name: Fix #78814: strip_tags allows / in tag name => whitelist bypass
On GitHub:
 [2019-11-17 13:29 UTC]
-Status: Open +Status: Verified
 [2019-12-02 10:40 UTC]
Automatic comment on behalf of
Log: Fix #78814: strip_tags allows / in tag name =&gt; whitelist bypass
 [2019-12-02 10:40 UTC]
-Status: Verified +Status: Closed
 [2019-12-02 10:41 UTC]
-Assigned To: +Assigned To: cmb
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 17 09:01:27 2024 UTC