Security Advisory: ZF2010-03

ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed

Executive Summary

Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.

Action Taken

The Zend Framework team has determined that since this vulnerability is so trivial to exploit, the functionality to allow whitelisting comments will now be disabled in this and all future releases. Additionally, the regular expression for stripping comments has been bolstered to properly remove comments containing HTML tags, nested comments, and comments ending with whitespace between the -- and ending delimiter (>).

Recommendations

If you use this filter and were enabling the allowComments functionality, be advised that it is now silently ignored. We also recommend such users to upgrade to the latest available Zend Framework release, or one of the following releases, immediately.

  • 1.9.7
  • 1.8.5
  • 1.7.9

Other Information

Acknowledgments

The Zend Framework team thanks the following for working with us to help protect its users:

  • Pádraic Brady, who made the initial report and who worked with our team to ensure that the appropriate actions were taken

Released 2010-01-11

Back to advisories

Have you identified a security vulnerability?

Please report it to us at zf-security@zend.com

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts