diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-11-17 14:14:59 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-02 11:37:25 +0100 |
| commit | 600f1f898f9771d13880255e74ea1c10590f5fd5 (patch) | |
| tree | cb80033c98a04465e49d2ee91cdd67a29093ab6a /ext | |
| parent | db420cb6a141876b2f7d101051fb01934a28071a (diff) | |
| download | php-git-600f1f898f9771d13880255e74ea1c10590f5fd5.tar.gz | |
Fix #78814: strip_tags allows / in tag name => whitelist bypass
When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `<`, or immediately before the closing
`>`.
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/standard/string.c | 2 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug78814.phpt | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index dcf9cb44c7..da51cd0966 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4663,7 +4663,7 @@ int php_tag_find(char *tag, size_t len, const char *set) { if (state == 0) { state=1; } - if (c != '/') { + if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) { *(n++) = c; } } else { diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt new file mode 100644 index 0000000000..c8ad8373e0 --- /dev/null +++ b/ext/standard/tests/strings/bug78814.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #78814 (strip_tags allows / in tag name => whitelist bypass) +--FILE-- +<?php +echo strip_tags("<s/trong>b</strong>", "<strong>"); +?> +--EXPECT-- +b</strong> |