15 lines
No EOL
768 B
Text
15 lines
No EOL
768 B
Text
source: https://www.securityfocus.com/bid/10724/info
|
|
|
|
It is reported that it is possible to bypass PHPs strip_tags() function.
|
|
|
|
It is reported that under certain circumstances, PHPs strip_tags() function will improperly leave malformed tags in place.
|
|
|
|
This vulnerability may mean that previously presumed-safe web applications could contain multiple cross-site scripting and HTML injection vulnerabilities when viewed by Microsoft Internet Explorer or Apple Safari web browsers.
|
|
|
|
It is reported that 'magic_quotes_gpc' must be off for PHP to be vulnerable to this issue.
|
|
|
|
If a web application uses strip_tags() similar to:
|
|
$example = strip_tags($_REQUEST['user_input'], "<b><i><s>");
|
|
|
|
Then possible tags that may lead to exploitation might be:
|
|
<\0script> or <s\0cript> |