Issues

ZF-8483: Make Strip-Tags more secure

Issue Type: Improvement Created: 2009-12-06T07:30:53.000+0000 Last Updated: 2012-11-20T20:52:45.000+0000 Status: Closed Fix version(s): Reporter: Thomas Weidner (thomas) Assignee: None Tags: - Zend_Filter

Related issues: - ZF-8502

Attachments:

Description

Actually Zend_Filter_StripTags is very unsecure when you are whitespacing tags and attributes.

See here for details: http://blog.astrumfutura.com/archives/…

Case 1:

<pre class="highlight">
$filter = new Zend_Filter_StripTags;
$filter->setTagsAllowed(array(
    'img' => array('src')
));
$out = $filter->filter('<img alt="image.png" src="http://example.com/image.png"></img>');

Output incorrect:

<pre class="highlight">
<img alt="" src=""></img>

Should be with source content!!

Case 2:

<pre class="highlight">
$filter = new Zend_Filter_StripTags;
$filter->setTagsAllowed(array(
    'div'
));
$out = $filter->filter('

Comments

Posted by Pádraic Brady (padraic) on 2009-12-07T06:17:53.000+0000

I can also comfirm there are other XSS vector exploits possible with the StripTags filter - the example given is the simplest one. All told, StripTags is really really bad.

Posted by Ralph Schindler (ralph) on 2009-12-08T06:01:05.000+0000

I cannot reproduce the output by use case 1. IN my tests on 5.2.11, 5.3.0 and 5.3.1- the StripTags method works as expected.

As for the div example, it seems like this too is working as expected. StripTags is a static filter, it does not do token based parsing of the stream of text, as such, it has no semantic awareness of the stream of text as hierarchical HTML. That being the case, if follows strict whitelist or strip rules. Since div is in the whitelist, it is valid to have all closing div tags. Ideally, the users strategy would not be to have a definition to leave only divs in place.

As for use case 3, this too is working as expected. Currently, StripTags does not validate the VALUE of a whitelisted attribute. This too should be taken into consideration by developers when developing a stripping strategy. In this case, the href is whitelisted, therefore the attribute and value both can pass the StripTags filter.

Also, it should be noted that from a security standpoint, even though obfuscated.. the severity here is really not much higher than if the target text was actually

<pre class="highlight">
<a href="http://some.really.com/porn/and/click/tracking/ridden/site.html"></a>

Again, StripTags does not have a semantic awareness of what is good and evil to humans, thus, it here too is doing what it was told to do.

I am inclined to mark as close on this one, but there should perhaps be an issue raised that would allow developers to add an additional regex for validating the value of a whitelisted attribute.

-ralph

Posted by Pádraic Brady (padraic) on 2009-12-08T06:35:28.000+0000

The report is an "improvement" type rather than a bug report. I agree these are not fixable bugs, and the report can be closed if the improvements will not be added.

Posted by Rob Allen (rob) on 2012-11-20T20:52:45.000+0000

Bulk change of all issues last updated before 1st January 2010 as "Won't Fix".

Feel free to re-open and provide a patch if you want to fix this issue.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts