Issue Type: Improvement Created: 2009-12-06T07:30:53.000+0000 Last Updated: 2012-11-20T20:52:45.000+0000 Status: Closed Fix version(s): Reporter: Thomas Weidner (thomas) Assignee: None Tags: - Zend_Filter
Related issues: - ZF-8502
Actually Zend_Filter_StripTags is very unsecure when you are whitespacing tags and attributes.
See here for details: http://blog.astrumfutura.com/archives/…
<pre class="highlight"> $filter = new Zend_Filter_StripTags; $filter->setTagsAllowed(array( 'img' => array('src') )); $out = $filter->filter('<img alt="image.png" src="http://example.com/image.png"></img>');
<pre class="highlight"> <img alt="" src=""></img>
Should be with source content!!
<pre class="highlight"> $filter = new Zend_Filter_StripTags; $filter->setTagsAllowed(array( 'div' )); $out = $filter->filter('
Posted by Pádraic Brady (padraic) on 2009-12-07T06:17:53.000+0000
I can also comfirm there are other XSS vector exploits possible with the StripTags filter - the example given is the simplest one. All told, StripTags is really really bad.
Posted by Ralph Schindler (ralph) on 2009-12-08T06:01:05.000+0000
I cannot reproduce the output by use case 1. IN my tests on 5.2.11, 5.3.0 and 5.3.1- the StripTags method works as expected.
As for the div example, it seems like this too is working as expected. StripTags is a static filter, it does not do token based parsing of the stream of text, as such, it has no semantic awareness of the stream of text as hierarchical HTML. That being the case, if follows strict whitelist or strip rules. Since div is in the whitelist, it is valid to have all closing div tags. Ideally, the users strategy would not be to have a definition to leave only divs in place.
As for use case 3, this too is working as expected. Currently, StripTags does not validate the VALUE of a whitelisted attribute. This too should be taken into consideration by developers when developing a stripping strategy. In this case, the href is whitelisted, therefore the attribute and value both can pass the StripTags filter.
Also, it should be noted that from a security standpoint, even though obfuscated.. the severity here is really not much higher than if the target text was actually
<pre class="highlight"> <a href="http://some.really.com/porn/and/click/tracking/ridden/site.html"></a>
Again, StripTags does not have a semantic awareness of what is good and evil to humans, thus, it here too is doing what it was told to do.
I am inclined to mark as close on this one, but there should perhaps be an issue raised that would allow developers to add an additional regex for validating the value of a whitelisted attribute.
Posted by Pádraic Brady (padraic) on 2009-12-08T06:35:28.000+0000
The report is an "improvement" type rather than a bug report. I agree these are not fixable bugs, and the report can be closed if the improvements will not be added.
Posted by Rob Allen (rob) on 2012-11-20T20:52:45.000+0000
Bulk change of all issues last updated before 1st January 2010 as "Won't Fix".
Feel free to re-open and provide a patch if you want to fix this issue.
Have you found an issue?
See the Overview section for more details.