GHSA-gwpm-pm6x-h7rj
MEDIUMZendFramework Cross-site Scripting vector in `Zend_Filter_StripTags`
Blast Radius
zendframework/zendframework1Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Zend_Filter_StripTags is a filtering class analogous to PHP's strip_tags() function. In addition to stripping HTML tags and selectively keeping those provided in a whitelist, it also provides the ability to whitelist specific attributes to retain per whitelisted tag.
The reporter discovered that attributes that contained whitespace, and in paricular, line breaks, surrounding the attribute assignment operator would not be stripped, regardless of whether or not they were whitelisted. As examples of input affected:
<!-- newlines before and/or after assignment: -->
<a href="http://framework.zend.com/issues" onclick
=
"alert('Broken'); return false;">Issues</a>
When passed to the following code:
$filter = new Zend_Filter_StripTags(array('a' => array('href')));
$value = $filter->($html);
then the "onclick" attribute would remain, even though it was not specified in the tag's whitelist. This could open potential cross-site scripting attack (XSS) vectors.
Recommendations
If you were using Zend_Filter_StripTags and utlizing the attribute whitelisting functionality, you should immediately upgrade to Zend Framework 1.7.6 or above; regardless, it is always best to run the most current version of the framework.
Also, if relying on Zend_Filter_StripTags to prevent XSS, the only way to reliably do so is to strip all tags, and never to whitelist. If you are whitelisting, you should consider finding a reliable XSS filter through which to run your output; we recommend HTML Purifier.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | zendframework/zendframework1 | ≥ 1.7.0&&< 1.7.6 | 1.7.6 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for zendframework/zendframework1. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update zendframework/zendframework1 to 1.7.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-gwpm-pm6x-h7rj is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-gwpm-pm6x-h7rj is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-gwpm-pm6x-h7rj. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-gwpm-pm6x-h7rj in your dependencies?
O3 detects GHSA-gwpm-pm6x-h7rj across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.