Is strip_tags() vulnerable to scripting attacks?

Question

Is there a known XSS or other attack that makes it past a

$content = "some HTML code";
$content = strip_tags($content);

echo $content;

Answer 1

I cannot predict future exploits, especially since I haven't looked at the PHP source code for this. However, there have been exploits in the past due to browsers accepting seemingly invalid tags (like ). So it's possible that in the future someone might be able to exploit odd browser behavior.

That aside, sending the output directly to the browser as a full block of HTML should never be insecure:

echo '
'.strip_tags($foo).'
'

However, this is not safe:

echo '';

because one could easily end the quote via " and insert a script handler.

I think it's much safer to always convert stray < into < (and the same with quotes).