Fix #78814: strip_tags allows / in tag name => whitelist bypass

When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `<`, or immediately before the closing
`>`.

3 files changed, 11 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 8bb7aa5b1c..6ecf8ad34c 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
   . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
   . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
     (cmb)
+  . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
+    (cmb)
 
 21 Nov 2019, PHP 7.2.25
 
diff --git a/ext/standard/string.c b/ext/standard/string.c
index dcf9cb44c7..da51cd0966 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4663,7 +4663,7 @@ int php_tag_find(char *tag, size_t len, const char *set) {
 					if (state == 0) {
 						state=1;
 					}
-					if (c != '/') {
+					if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) {
 						*(n++) = c;
 					}
 				} else {
diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt
new file mode 100644
index 0000000000..c8ad8373e0
--- /dev/null
+++ b/ext/standard/tests/strings/bug78814.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #78814 (strip_tags allows / in tag name => whitelist bypass)
+--FILE--
+<?php
+echo strip_tags("<s/trong>b</strong>", "<strong>");
+?>
+--EXPECT--
+b</strong>