Security Advisory

ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed

Executive Summary

Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.

Action Taken

The Zend Framework team has determined that since this vulnerability is so trivial to exploit, the functionality to allow whitelisting comments will now be disabled in this and all future releases. Additionally, the regular expression for stripping comments has been bolstered to properly remove comments containing HTML tags, nested comments, and comments ending with whitespace between the "--" and ending delimiter (">").


If you use this filter and were enabling the "allowComments" functionality, be advised that it is now silently ignored. We also recommend such users to upgrade to the latest available Zend Framework release, or one of the following releases, immediately.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.


Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

Released Mon, 11 Jan 2010 16:00:00 -0500.

back to advisories