striptags is vulnerable to cross-site scripting (XSS). A type-confusion vulnerability occurs when concatenating unsanitized strings when an array-like object is passed in as the html parameter. An attacker who is able to control the shape of their input can abuse this behavior to inject and execute arbitrary Javascript in a user’s browser.