ZF-8743 - Issues - Zend Framework

ZF-8743: StripTags filter should never allow comments

Issue Type:

Bug

Created:

2010-01-07T13:50:10.000+0000

Last Updated:

2010-01-11T13:06:25.000+0000

Status:

Resolved

Fix version(s):

1.7.9 (11/Jan/10)
1.8.5 (11/Jan/10)
1.9.7 (11/Jan/10)

Reporter:

Matthew Weier O'Phinney (matthew)

Assignee:

Matthew Weier O'Phinney (matthew)

Tags:

Zend_Filter

Related issues:

Attachments:

Description

Currently, the StripTags filter allows optionally allowing comments. However, this should never be allowed, as it's possible to perform IE-style conditional comments that could open XSS attack vectors:


$filter = new Zend_Filter_StripTags;                                                                          
$filter->setCommentsAllowed(true);                                                                            
$html = "";                                       
$out = $filter->filter($html);
// results in:
//

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T14:55:46.000+0000

Resolved in trunk and 1.9, 1.8, and 1.7 release branches.