Page 1 of 1

strip_tags vulnerability

Posted: Tue Jun 20, 2006 1:26 pm
by Benjamin
Considering that strip_tags won't remove php or html tags longer than 1024 characters from a string, I'm guessing that it should not be used inclusively for cleaning posted data.

Is whitelisting characters the only way?

Posted: Tue Jun 20, 2006 1:37 pm
by Oren
htmlentities(), after all, we don't want to lose some of the information... We just want it to be safe for our use :wink:

Posted: Tue Jun 20, 2006 1:39 pm
by Benjamin
Well that would work, but in my case I would then need a way to remove the html entities.

Posted: Tue Jun 20, 2006 1:45 pm
by Luke
astions wrote:Well that would work, but in my case I would then need a way to remove the html entities.
how come?

Posted: Tue Jun 20, 2006 1:50 pm
by Benjamin
Because I don't want them to be displayed when other people view the data that was posted by someone else.

I modified some code in phpbb and ended up with this..

Code: Select all

function PrepareMessage($message) {
  $html_entities_match =   array('#&(?!(\#[0-9]+;))#', '#<#', '#>#');
  $html_entities_replace = array('',                   '',    '');

  $message = strip_tags($message);

  $message = trim($message);

  $message = preg_replace($html_entities_match, $html_entities_replace, $message);

  return $message;
}
Comments anyone?

Posted: Tue Jun 20, 2006 2:22 pm
by Oren
I've just tested the strip_tags() function and I believe that the 1024 characters problem is gone. I tested it with a very long tag (more than 17,000 characters) and it worked great.

P.S I work with PHP 5.1.4

Posted: Tue Jun 20, 2006 2:24 pm
by Benjamin
Good to hear that.

Posted: Tue Jun 20, 2006 2:25 pm
by feyd
I posted a snip a long time ago that works a bit smarter than strip_tags().. check Useful Posts.

Posted: Tue Jun 20, 2006 2:31 pm
by Oren
What do you mean by 'smarter'? In what way? (except to the 1024 characters problem)

Posted: Tue Jun 20, 2006 2:58 pm
by feyd
read the thread I referenced.

Posted: Tue Jun 20, 2006 4:00 pm
by Oren
Just read it... Thanks :wink:

P.S I also read it few months ago when I first came to DevNetwork, but I've already forgotten about it :P

Posted: Tue Jun 20, 2006 5:38 pm
by Weirdan
After a brief look over the sources of php 4.0 it appears the 1k tag length limitation arise only when you use second argument to strip_tags... anyone cares to check it?

Posted: Wed Jun 21, 2006 2:49 am
by Oren
That's what I've heard too, but I can't check it since I'm using PHP 5.1.4.
Oh.... and... I forgot that :oops: and when I did the test I didn't use the a second argument :?
I'll do another test real quick and post the result here in few minutes :wink:

Posted: Wed Jun 21, 2006 3:57 am
by Weirdan

Code: Select all

var_dump("PHP version: " . phpversion());
$testString = "something<a href='" . str_repeat('x', 2048) . "'>qqqqq";
var_dump(strip_tags($testString));
var_dump(strip_tags($testString, '<a>'));
$testString = "something<a href='" . str_repeat('x', 1000) . "'>qqqqq";
var_dump(strip_tags($testString, '<a>'));
output

Code: Select all

string(18) "PHP version: 4.4.0"
string(14) "somethingqqqqq"
string(14) "somethingqqqqq"
string(1025) "something<a href='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'>qqqqq"
In other words, strip_tags goes "better safe than sorry" way and strips long tags (longer than PHP_TAG_BUF_SIZE)
regardless of whether they appear in allowed_tags parameter or not.
Relevant piece of code: http://koders.com/c/fidEF658CE0ADD1609B ... tags#L2325

Posted: Wed Jun 21, 2006 4:07 am
by Oren
Oh, I'm sorry... I started to read about Ajax and totally forgot to run the test :P