Zend Framework

StripTags filter should never allow comments

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.7.9, 1.8.5, 1.9.7
  • Component/s: Zend_Filter
  • Labels:
    None
  • Fix Version Priority:
    Must Have

Description

Currently, the StripTags filter allows optionally allowing comments. However, this should never be allowed, as it's possible to perform IE-style conditional comments that could open XSS attack vectors:

$filter = new Zend_Filter_StripTags;                                                                          
$filter->setCommentsAllowed(true);                                                                            
$html = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->";                                       
$out = $filter->filter($html);
// results in:
// <!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->

Activity

Hide
Permalink
Matthew Weier O'Phinney added a comment -

Resolved in trunk and 1.9, 1.8, and 1.7 release branches.

Show
Matthew Weier O'Phinney added a comment - Resolved in trunk and 1.9, 1.8, and 1.7 release branches.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.