Issue

ZF-8743: StripTags filter should never allow comments

Issue Type: Bug Created: 2010-01-07T13:50:10.000+0000 Last Updated: 2010-01-11T13:06:25.000+0000 Status: Resolved Fix version(s): - 1.7.9 (11/Jan/10)

  • 1.8.5 (11/Jan/10)
  • 1.9.7 (11/Jan/10)

Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Filter

Related issues: Attachments:

Description

Currently, the StripTags filter allows optionally allowing comments. However, this should never be allowed, as it's possible to perform IE-style conditional comments that could open XSS attack vectors:

<pre class="highlight">
$filter = new Zend_Filter_StripTags;                                                                          
$filter->setCommentsAllowed(true);                                                                            
$html = "";                                       
$out = $filter->filter($html);
// results in:
//

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T14:55:46.000+0000

Resolved in trunk and 1.9, 1.8, and 1.7 release branches.

Have you found an issue?

See the Overview section for more details.

About
Overview
FAQ
License
Changelog
Security
Issues

Install
Get started
MVC skeleton app
Expressive skeleton app
Archives

Documentation
Overview
Training and Certification
Support and Consulting
Webinars
Blog
Zend Framework 2 - API
Zend Framework 1 - API

Participate
Overview
Slack
Forums
Contributor guide
Code Manifesto
Contributors
Logos
Get certified
Privacy Policy

Copyright

© 2006-2022 by Zend by Perforce. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts