Issue Type: Bug Created: 2010-01-07T13:50:10.000+0000 Last Updated: 2010-01-11T13:06:25.000+0000 Status: Resolved Fix version(s): - 1.7.9 (11/Jan/10)
Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Filter
Related issues: Attachments:
Currently, the StripTags filter allows optionally allowing comments. However, this should never be allowed, as it's possible to perform IE-style conditional comments that could open XSS attack vectors:
<pre class="highlight"> $filter = new Zend_Filter_StripTags; $filter->setCommentsAllowed(true); $html = ""; $out = $filter->filter($html); // results in: //
Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T14:55:46.000+0000
Resolved in trunk and 1.9, 1.8, and 1.7 release branches.
Have you found an issue?
See the Overview section for more details.