Page 1 of 1
strip_tags vulnerability
Posted: Tue Jun 20, 2006 1:26 pm
by Benjamin
Considering that strip_tags won't remove php or html tags longer than 1024 characters from a string, I'm guessing that it should not be used inclusively for cleaning posted data.
Is whitelisting characters the only way?
Posted: Tue Jun 20, 2006 1:37 pm
by Oren
htmlentities(), after all, we don't want to lose some of the information... We just want it to be safe for our use

Posted: Tue Jun 20, 2006 1:39 pm
by Benjamin
Well that would work, but in my case I would then need a way to remove the html entities.
Posted: Tue Jun 20, 2006 1:45 pm
by Luke
astions wrote:Well that would work, but in my case I would then need a way to remove the html entities.
how come?
Posted: Tue Jun 20, 2006 1:50 pm
by Benjamin
Because I don't want them to be displayed when other people view the data that was posted by someone else.
I modified some code in phpbb and ended up with this..
Code: Select all
function PrepareMessage($message) {
$html_entities_match = array('#&(?!(\#[0-9]+;))#', '#<#', '#>#');
$html_entities_replace = array('', '', '');
$message = strip_tags($message);
$message = trim($message);
$message = preg_replace($html_entities_match, $html_entities_replace, $message);
return $message;
}
Comments anyone?
Posted: Tue Jun 20, 2006 2:22 pm
by Oren
I've just tested the
strip_tags() function and I believe that the 1024 characters problem is gone. I tested it with a very long tag (more than 17,000 characters) and it worked great.
P.S
I work with PHP 5.1.4
Posted: Tue Jun 20, 2006 2:24 pm
by Benjamin
Good to hear that.
Posted: Tue Jun 20, 2006 2:25 pm
by feyd
I posted a snip a long time ago that works a bit smarter than
strip_tags().. check Useful Posts.
Posted: Tue Jun 20, 2006 2:31 pm
by Oren
What do you mean by 'smarter'? In what way? (except to the 1024 characters problem)
Posted: Tue Jun 20, 2006 2:58 pm
by feyd
read the thread I referenced.
Posted: Tue Jun 20, 2006 4:00 pm
by Oren
Just read it... Thanks
P.S I also read it few months ago when I first came to DevNetwork, but I've already forgotten about it

Posted: Tue Jun 20, 2006 5:38 pm
by Weirdan
After a brief look over the sources of php 4.0 it appears the 1k tag length limitation arise only when you use second argument to strip_tags... anyone cares to check it?
Posted: Wed Jun 21, 2006 2:49 am
by Oren
That's what I've heard too, but I can't check it since I'm using PHP 5.1.4.
Oh.... and... I forgot that

and when I did the test I didn't use the a second argument
I'll do another test real quick and post the result here in few minutes

Posted: Wed Jun 21, 2006 3:57 am
by Weirdan
Code: Select all
var_dump("PHP version: " . phpversion());
$testString = "something<a href='" . str_repeat('x', 2048) . "'>qqqqq";
var_dump(strip_tags($testString));
var_dump(strip_tags($testString, '<a>'));
$testString = "something<a href='" . str_repeat('x', 1000) . "'>qqqqq";
var_dump(strip_tags($testString, '<a>'));
output
Code: Select all
string(18) "PHP version: 4.4.0"
string(14) "somethingqqqqq"
string(14) "somethingqqqqq"
string(1025) "something<a href='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'>qqqqq"
In other words, strip_tags goes "better safe than sorry" way and strips long tags (longer than PHP_TAG_BUF_SIZE)
regardless of whether they appear in allowed_tags parameter or not.
Relevant piece of code:
http://koders.com/c/fidEF658CE0ADD1609B ... tags#L2325
Posted: Wed Jun 21, 2006 4:07 am
by Oren
Oh, I'm sorry... I started to read about Ajax and totally forgot to run the test
