Name of the Vulnerable Software and Affected Versions Zend Framework versions prior to 1.7.6

Description The issue concerns the Zend Filter StripTags class, which is used for filtering HTML tags. It was discovered that attributes with whitespace or line breaks surrounding the assignment operator would not be stripped, even if they were not whitelisted. This could lead to potential cross-site scripting (XSS) attack vectors. For example, the onclick attribute would remain in the input <a href="http://framework.zend.com/issues" onclick = "alert('Broken'); return false;">Issues</a>, even though it was not specified in the tag's whitelist.

Recommendations If you are using Zend Filter StripTags with attribute whitelisting, upgrade to Zend Framework 1.7.6 or above. Consider stripping all tags and never whitelisting if relying on Zend Filter StripTags to prevent XSS. If whitelisting, find a reliable XSS filter, such as HTML Purifier, to run your output through.