A type-confusion vulnerability can cause striptags
to concatenate unsanitized strings when an array-like object is passed in as the html
parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.
XSS
Ensure that the html
parameter is a string before calling the function.
Upgrade to version 3.2.0 or later