strip_tags vulnerability
Moderator: General Moderators
strip_tags vulnerability
Considering that strip_tags won't remove php or html tags longer than 1024 characters from a string, I'm guessing that it should not be used inclusively for cleaning posted data.
Is whitelisting characters the only way?
Is whitelisting characters the only way?
htmlentities(), after all, we don't want to lose some of the information... We just want it to be safe for our use 
Because I don't want them to be displayed when other people view the data that was posted by someone else.
I modified some code in phpbb and ended up with this..
Comments anyone?
I modified some code in phpbb and ended up with this..
Code: Select all
function PrepareMessage($message) {
$html_entities_match = array('#&(?!(\#[0-9]+;))#', '#<#', '#>#');
$html_entities_replace = array('', '', '');
$message = strip_tags($message);
$message = trim($message);
$message = preg_replace($html_entities_match, $html_entities_replace, $message);
return $message;
}I've just tested the strip_tags() function and I believe that the 1024 characters problem is gone. I tested it with a very long tag (more than 17,000 characters) and it worked great.
P.S I work with PHP 5.1.4
P.S I work with PHP 5.1.4
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
I posted a snip a long time ago that works a bit smarter than strip_tags().. check Useful Posts.
Code: Select all
var_dump("PHP version: " . phpversion());
$testString = "something<a href='" . str_repeat('x', 2048) . "'>qqqqq";
var_dump(strip_tags($testString));
var_dump(strip_tags($testString, '<a>'));
$testString = "something<a href='" . str_repeat('x', 1000) . "'>qqqqq";
var_dump(strip_tags($testString, '<a>'));Code: Select all
string(18) "PHP version: 4.4.0"
string(14) "somethingqqqqq"
string(14) "somethingqqqqq"
string(1025) "something<a href='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'>qqqqq"regardless of whether they appear in allowed_tags parameter or not.
Relevant piece of code: http://koders.com/c/fidEF658CE0ADD1609B ... tags#L2325