strip_tags vulnerability

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

strip_tags vulnerability

Post by Benjamin »

Considering that strip_tags won't remove php or html tags longer than 1024 characters from a string, I'm guessing that it should not be used inclusively for cleaning posted data.

Is whitelisting characters the only way?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

htmlentities(), after all, we don't want to lose some of the information... We just want it to be safe for our use :wink:
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Well that would work, but in my case I would then need a way to remove the html entities.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

astions wrote:Well that would work, but in my case I would then need a way to remove the html entities.
how come?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Because I don't want them to be displayed when other people view the data that was posted by someone else.

I modified some code in phpbb and ended up with this..

Code: Select all

function PrepareMessage($message) {
  $html_entities_match =   array('#&(?!(\#[0-9]+;))#', '#<#', '#>#');
  $html_entities_replace = array('',                   '',    '');

  $message = strip_tags($message);

  $message = trim($message);

  $message = preg_replace($html_entities_match, $html_entities_replace, $message);

  return $message;
}
Comments anyone?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

I've just tested the strip_tags() function and I believe that the 1024 characters problem is gone. I tested it with a very long tag (more than 17,000 characters) and it worked great.

P.S I work with PHP 5.1.4
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Good to hear that.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I posted a snip a long time ago that works a bit smarter than strip_tags().. check Useful Posts.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

What do you mean by 'smarter'? In what way? (except to the 1024 characters problem)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

read the thread I referenced.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Just read it... Thanks :wink:

P.S I also read it few months ago when I first came to DevNetwork, but I've already forgotten about it :P
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

After a brief look over the sources of php 4.0 it appears the 1k tag length limitation arise only when you use second argument to strip_tags... anyone cares to check it?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

That's what I've heard too, but I can't check it since I'm using PHP 5.1.4.
Oh.... and... I forgot that :oops: and when I did the test I didn't use the a second argument :?
I'll do another test real quick and post the result here in few minutes :wink:
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Code: Select all

var_dump("PHP version: " . phpversion());
$testString = "something<a href='" . str_repeat('x', 2048) . "'>qqqqq";
var_dump(strip_tags($testString));
var_dump(strip_tags($testString, '<a>'));
$testString = "something<a href='" . str_repeat('x', 1000) . "'>qqqqq";
var_dump(strip_tags($testString, '<a>'));
output

Code: Select all

string(18) "PHP version: 4.4.0"
string(14) "somethingqqqqq"
string(14) "somethingqqqqq"
string(1025) "something<a href='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'>qqqqq"
In other words, strip_tags goes "better safe than sorry" way and strips long tags (longer than PHP_TAG_BUF_SIZE)
regardless of whether they appear in allowed_tags parameter or not.
Relevant piece of code: http://koders.com/c/fidEF658CE0ADD1609B ... tags#L2325
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Oh, I'm sorry... I started to read about Ajax and totally forgot to run the test :P
Post Reply