Issues

ZF-8743: StripTags filter should never allow comments

Issue Type: Bug Created: 2010-01-07T13:50:10.000+0000 Last Updated: 2010-01-11T13:06:25.000+0000 Status: Resolved Fix version(s): - 1.7.9 (11/Jan/10)

  • 1.8.5 (11/Jan/10)
  • 1.9.7 (11/Jan/10)

Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Filter

Related issues: Attachments:

Description

Currently, the StripTags filter allows optionally allowing comments. However, this should never be allowed, as it's possible to perform IE-style conditional comments that could open XSS attack vectors:

<pre class="highlight">
$filter = new Zend_Filter_StripTags;                                                                          
$filter->setCommentsAllowed(true);                                                                            
$html = "";                                       
$out = $filter->filter($html);
// results in:
//  

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2010-01-07T14:55:46.000+0000

Resolved in trunk and 1.9, 1.8, and 1.7 release branches.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts