A type-confusion vulnerability can cause
striptags to concatenate unsanitized strings when an array-like object is passed in as the
html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function.
Ensure that the
html parameter is a string before calling the function.