Zend Filter StripTags XSS Vulnerability

Just a heads up to those using the Zend Framework. Wil Sinclair posted the following to the Zend Framework announcements mailing list:

The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class. Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose which tags and specific attributes of those tags to keep. The XSS attack vector was due to a bug in matching HTML tag attributes to retain. If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters, the attribute would always be included in the final output- even if it was not marked to retain. A security fix has been created and released with Zend Framework 1.7.7. Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches. The Zend Framework team strongly recommends upgrading to version 1.7.7. If you cannot upgrade at this time, we recommend exporting from the release branch matching the minor release you are currently using, or downloading the file listed below and pushing it into your Zend Framework installation.

http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php

Thank you. ,Wil

I’ve been digging into the Zend Framework lately and if you are looking to develop commercial sites quickly with a solid foundation I highly recommend doing so with the Zend Framework.

Posted by Dave on March 20, 2009 in zend framework

Write a Comment on Zend Filter StripTags XSS Vulnerability

Subscribe

Follow comments by subscribing to the Zend Filter StripTags XSS Vulnerability Comments RSS feed.

More

Read more posts by Dave

Coding Mistakes PHP Newbies Make Getting Started With Zend Framework