Zend_Filter_StripTags is a filtering class analogous to PHP's
function. In addition to stripping HTML tags and selectively keeping those
provided in a whitelist, it also provides the ability to whitelist specific
attributes to retain per whitelisted tag.
The reporter discovered that attributes that contained whitespace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were whitelisted. As examples of input affected:
<!-- newlines before and/or after assignment: --> <a href="http://framework.zend.com/issues" onclick = "alert('Broken'); return false;">Issues</a>
When passed to the following code:
$filter = new Zend_Filter_StripTags(array('a' => array('href'))); $value = $filter->($html);
then the "onclick" attribute would remain, even though it was not specified in the tag's whitelist. This could open potential cross-site scripting attack (XSS) vectors.
The functionality was patched, and the patch released starting in Zend Framework version 1.7.6.
If you were using
Zend_Filter_StripTags and utlizing the attribute
whitelisting functionality, you should immediately upgrade to Zend Framework
1.7.6 or above; regardless, it is always best to run the most current version of
Also, if relying on
Zend_Filter_StripTags to prevent XSS, the only way to
reliably do so is to strip all tags, and never to whitelist. If you are
whitelisting, you should consider finding a reliable XSS filter through which to
run your output; we recommend HTML Purifier.
The Zend Framework team thanks the following for working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org