Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML
comments in filtered text. Microsoft Internet Explorer and several other
browsers allow developers to create conditional functionality via HTML comments,
including execution of script events and rendering of additional commented
markup. By allowing whitelisting of HTML comments, a malicious user could
potentially include XSS exploits within HTML comments that would then be
rendered in the final output.
The Zend Framework team has determined that since this vulnerability is so
trivial to exploit, the functionality to allow whitelisting comments will now be
disabled in this and all future releases. Additionally, the regular expression
for stripping comments has been bolstered to properly remove comments containing
HTML tags, nested comments, and comments ending with whitespace between the --
and ending delimiter (>).
If you use this filter and were enabling the allowComments functionality, be
advised that it is now silently ignored. We also recommend such users to upgrade
to the latest available Zend Framework release, or one of the following
releases, immediately.
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2010-01-11
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com