GHSA-4vf6-mq7w-3hp6: Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed

June 7, 2024

Zend_Filter_StripTags contained an optional setting to allow allowlisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing allowlisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.

References

github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2010-03.yaml
github.com/advisories/GHSA-4vf6-mq7w-3hp6
github.com/zendframework/zf1
web.archive.org/web/20210411020019/https://framework.zend.com/security/advisory/ZF2010-03

Detect and mitigate GHSA-4vf6-mq7w-3hp6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →