In the PHP world, solely relying upon PHP’s strip_tags() function to protect your web application from JavaScript injections is a bad idea. If you do, you may be vulnerable in even the most recent browsers (I tested in Chrome 17.0.963.83, Firefox 9.0.1 and Internet Explorer 9). There may be parallels in other languages too, so beware.

You’ll be vulnerable if the following are true:

  • You’ve got a webapp that accepts user input
  • You use strip_tags() or similar to sanitize fields
  • You don’t explicitly remove less-than or greater-than characters from those fields (PHP’s strip_tags won’t remove a partial “<script” tag)
  • Values from two or more of these fields are printed close to each other in the output HTML, with little or no markup between them

The fourth item is tricky … The markup between the field values must not contain any quotes (the quotes would prematurely close the script tag injection attempt). In other words, it’s possible for an opening SCRIPT tag to be constructed using values from two subsequent user-input fields.

Granted, the vulnerability only arises if markup is formatted in a very specific way, but it’s worth taking another look at your code. See this gist with example HTML for what it looks like to your browser.

I submitted a Chromium bug report, but it’s something they’re not interested in fixing.

Guess we’re on our own.