Issue Type: Bug Created: 2010-01-07T13:50:10.000+0000 Last Updated: 2010-01-11T13:06:25.000+0000 Status: Resolved Fix version(s): - 1.7.9 (11/Jan/10)
Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Filter
Related issues: Attachments:
Currently, the StripTags filter allows optionally allowing comments. However, this should never be allowed, as it's possible to perform IE-style conditional comments that could open XSS attack vectors:
<pre class="highlight">
$filter = new Zend_Filter_StripTags;
$filter->setCommentsAllowed(true);
$html = "";
$out = $filter->filter($html);
// results in:
//
Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T14:55:46.000+0000
Resolved in trunk and 1.9, 1.8, and 1.7 release branches.