From: [EMAIL PROTECTED] Operating system: Linux PHP version: 4.0.6 PHP Bug Type: Feature/Change Request Bug description: strip_tags allows javascript
The html strip_tags() function permits any attributes. This gives a security hole. Eg allowing <b> also permits: <b onclick="javascript.document.location='http://www.evil.com';"> That's not so nice ! Context: I run a website in which I want to allow (untrusted) users to post messages formatted with a very limited subset of html. I don't want them to be able to do anything nasty. I am aware that this may not really be a bug per se, and might be better as a new string function ('vanilla_tags'). But it could bite the unwary. Thanks a lot Richard -- Edit bug report at http://bugs.php.net/?id=15972&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=15972&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=15972&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=15972&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=15972&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=15972&r=support Expected behavior: http://bugs.php.net/fix.php?id=15972&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=15972&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=15972&r=submittedtwice
