The strip_tags modifier is not secure and doesn't always work as expected. It is possible to get typical XSS strings past strip_tags. The risk is that users might think they could stop xss attacks just with strip_tags.
Steps to reproduce:
Code: Select all
function smarty_modifier_strip_tags($string, $replace_with_space = true)
{
if ($replace_with_space)
return preg_replace('!<[^>]*?>!', ' ', $string);
else
return strip_tags($string);
}
$test1 = 'xss <img src="http://tctechcrunch.files.wordpress.com/2009/04/warning-sign.gif" //';
echo smarty_modifier_strip_tags($test1);
CMS Made Simple versions affected: all
Discussion:
preg_replace('!<[^>]*?>!', ' ', $string); is not the same as strip_tags($string)
The preg_replace statment in this function does not filter out tags that are not closed and contain a space and a attribute. See example above.
Proposed resolution: It'd be better to rely on PHP's strip_tags alone since it has the far more refined tag stripping state machine.