GHSA-gwpm-pm6x-h7rj: ZendFramework Cross-site Scripting vector in `Zend_Filter_StripTags`

Zend_Filter_StripTags is a filtering class analogous to PHP’s strip_tags() function. In addition to stripping HTML tags and selectively keeping those provided in a allowlist, it also provides the ability to allowlist specific attributes to retain per allowlisted tag.

The reporter discovered that attributes that contained allowspace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were allowlisted. As examples of input affected:

<!-- newlines before and/or after assignment: -->
<a href="http://framework.zend.com/issues" onclick
=
"alert('Broken'); return false;">Issues</a>

When passed to the following code:

$filter = new Zend_Filter_StripTags(array('a' => array('href')));
$value  = $filter->($html);

then the “onclick” attribute would remain, even though it was not specified in the tag’s allowlist. This could open potential cross-site scripting attack (XSS) vectors.