Issues

ZF-8483: Make Strip-Tags more secure

Description

Actually Zend_Filter_StripTags is very unsecure when you are whitespacing tags and attributes.

See here for details: http://blog.astrumfutura.com/archives/…

Case 1:


$filter = new Zend_Filter_StripTags;
$filter->setTagsAllowed(array(
    'img' => array('src')
));
$out = $filter->filter('image.png');

Output incorrect:


Should be with source content!!

Case 2:


$filter = new Zend_Filter_StripTags;
$filter->setTagsAllowed(array(
    'div'
));
$out = $filter->filter('

Comments

I can also comfirm there are other XSS vector exploits possible with the StripTags filter - the example given is the simplest one. All told, StripTags is really really bad.

I cannot reproduce the output by use case 1. IN my tests on 5.2.11, 5.3.0 and 5.3.1- the StripTags method works as expected.

As for the div example, it seems like this too is working as expected. StripTags is a static filter, it does not do token based parsing of the stream of text, as such, it has no semantic awareness of the stream of text as hierarchical HTML. That being the case, if follows strict whitelist or strip rules. Since div is in the whitelist, it is valid to have all closing div tags. Ideally, the users strategy would not be to have a definition to leave only divs in place.

As for use case 3, this too is working as expected. Currently, StripTags does not validate the VALUE of a whitelisted attribute. This too should be taken into consideration by developers when developing a stripping strategy. In this case, the href is whitelisted, therefore the attribute and value both can pass the StripTags filter.

Also, it should be noted that from a security standpoint, even though obfuscated.. the severity here is really not much higher than if the target text was actually



Again, StripTags does not have a semantic awareness of what is good and evil to humans, thus, it here too is doing what it was told to do.

I am inclined to mark as close on this one, but there should perhaps be an issue raised that would allow developers to add an additional regex for validating the value of a whitelisted attribute.

-ralph

The report is an "improvement" type rather than a bug report. I agree these are not fixable bugs, and the report can be closed if the improvements will not be added.

Bulk change of all issues last updated before 1st January 2010 as "Won't Fix".

Feel free to re-open and provide a patch if you want to fix this issue.