Confused about StripTags filter

Question

I'm a little confused about the StripTags filter as used in Zend. I think it's meant to strip tags that could result in XSS. So shouldn't that mean it should be used when outputting data in the views? I've seen it being used with form inputs

->addFilter('StripTags')

Should it be used with both input in the forms and output in the views, or does it work by filtering the data before it even enters the database (in which case that wouldn't be a good idea).

Answer 1

Not so much a direct answer to your question and more an alternative approach.

In the blog post "HTML Sanitisation: The Devil's In The Details (And The Vulnerabilities)", Padraic Brady discusses HTML sanitisation and various components for doing it. He expresses significant concerns about the use of the StripTags filter for that purpose.

HTMLPurifier seems to be a better choice.

Answer 2

according to ZF2 unofficial documentation:

https://zf2.readthedocs.org/en/latest/modules/zend.filter.set.html#striptags

Zend\Filter\StripTags is potentially unsecure

Be warned that Zend\Filter\StripTags should only be used to strip all available tags.

Using Zend\Filter\StripTags to make your site secure by stripping some unwanted tags will lead to unsecure and dangerous code.

Zend\Filter\StripTags must not be used to prevent XSS attacks. This filter is no replacement for using Tidy or HtmlPurifier.

So use it on your own risk...

Answer 3

StripTags is used with output in the views. Note, that displaying text in editable field(such as textarea) is actually still an "output in the view". Data should not be preprocessed/transformed before entering the database.

Answer 4

The strip tag filter will not occur unless you explicitly call it through

$stripedValue = $form->getValue('fieldName');