Security Advisory
ZF2009-02: XSS vector in Zend_Filter_StripTags
Executive Summary
Zend_Filter_StripTags is a filtering class analogous to PHP's
strip_tags() function. In addition to stripping HTML tags and
selectively keeping those provided in a whitelist, it also provides the
ability to whitelist specific attributes to retain per whitelisted tag.
The reporter discovered that attributes that contained whitespace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were whitelisted. As examples of input affected:
<!-- newlines before and/or after assignment: -->
<a href="http://framework.zend.com/issues" onclick
=
"alert('Broken'); return false;">Issues</a>
When passed to the following code:
$filter = new Zend_Filter_StripTags(array('a' => array('href')));
$value = $filter->($html);
then the "onclick" attribute would remain, even though it was not specified in the tag's whitelist. This could open potential cross-site scripting attack (XSS) vectors.
Action Taken
The functionality was patched, and the patch released starting in Zend Framework version 1.7.6.
Recommendations
If you were using Zend_Filter_StripTags and utlizing the
attribute whitelisting functionality, you should immediately upgrade to
Zend Framework 1.7.6 or above; regardless, it is always best to run the most
current version of the framework.
Also, if relying on Zend_Filter_StripTags to prevent XSS, the
only way to reliably do so is to strip all tags, and never to whitelist. If
you are whitelisting, you should consider finding a reliable XSS filter
through which to run your output; we recommend
HTML Purifier.
Other Information
Acknowledgments
The Zend Framework team thanks the following for working with us to help protect its users:
- Aleksey Rechinskiy, who made the initial report and provided a number of code samples that reproduced the issue
Reporting Potential Security Issues
If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.
When reporting issues, please provide the following information:
- Component(s) affected
- A description indicating how to reproduce the issue
- A summary of the security vulnerability and impact
We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.
For sensitive email communications, please use our PGP key.
Policy
Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:
- We will patch the current release branch, as well as the immediate prior minor release branch.
- After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
- A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)