php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #20310 print_r should apply htmlspecialchars
Submitted: 2002-11-08 08:01 UTC Modified: 2002-11-08 13:47 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: Otto dot Stolz at uni-konstanz dot de Assigned:
Status: Wont fix Package: Feature/Change Request
PHP Version: 4.2.2 OS: SunOS
Private report: No CVE-ID: None
View Developer Edit
 [2002-11-08 08:01 UTC] Otto dot Stolz at uni-konstanz dot de 
print_r writes directly to php://output, hence
its output should comply with HTML syntax rules.
However, print_r will issue non-compliant code,
or generate spurious entities, whenever a
variable contains an HTML special character.

Hence, print_r should apply htmlspecialchars to
all strings it is going to write to php://output.

Try the demo at
<http://www.rz.uni-konstanz.de/Antivirus/tests/print_r.php> 
with Netscape 6, or Opera 6, as IE 6 will not reveal
all the surprises I've hidden therein ;-)
The pertinent PHP source can be seen at
<http://www.rz.uni-konstanz.de/Antivirus/tests/print_r.txt>.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-11-08 08:16 UTC] derick@php.net 
print_r is just a debugging tool, I see no reason to have htmlspecialchars applied to it. Also, you can do this yourself quite easily by using output buffers if you _really_ need this.

Derick
 [2002-11-08 08:36 UTC] Otto dot Stolz at uni-konstanz dot de 
Just because print_r is a debuggung tool,
it shold not introduce additional bugs into the HTML code!

But as it is, it will
- insert a HTML tag whenever it should report
  a less-than csign,
- insert a HTML entity whenever it should report
  an ampersand sign,
- spoil the whole HTML syntax, whenever it simply
  should report a double-quote sign.
This renders print_r rather a dangerous (if not
to say: unusable) tool.

Please revert the status of Bug #20310 to open,
or perhaps to feature-request.
 [2002-11-08 08:48 UTC] jbozza at thinkburst dot com 
Just a quick comment on this (and why I think it should stay as it is):

I use print_r both in online (Web-based) and offline scripting.  Changing print_r to output html characters would screw things up for those people that use PHP for more than just a web language.

That being said, if you want to use the debugging tool, just use &lt;PRE&gt;&lt;/PRE&gt; around the print_r if you need to view it correctly.  Nothing's wrong with the "tool" as it works now.
 [2002-11-08 09:24 UTC] Otto dot Stolz at uni-konstanz dot de 
Enclosing print_r with <pre> and </pre> does not help!
This is exactly what I demonstrate in
<http://www.rz.uni-konstanz.de/Antivirus/tests/print_r.php>.

I was not aware that PHP can also be used without a HTML
context; so I am not sure what to suggest. Could print_r
determine whether it is writing to a HTML source and act accordingly?

In any case, as it stands currently, print_r is akin to
a time-bomb in unsuspecting authors' HTML pages.
 [2002-11-08 13:47 UTC] msopacua@php.net 
Look - it's really simple:
<?php
function ob_smart_html_handler($string)
{
    $string = (isset($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars($string) : $string;
    return $string;
}
// create $var here
ob_start('ob_smart_html_handler');
print_r($var);
ob_end_flush();
?>

Additionally, using 4.3.0 (slightly different output):
<?php
print(htmlspecialchars(var_export($var, TRUE)));
?>

Now - those few lines of 'extra' code, simply don't warrant a change in behavior, that has the potential to break CLI code.
 [2002-11-11 02:35 UTC] Otto dot Stolz at uni-konstanz dot de 
Thank you for those hints.
As said before, I was not aware that existing CLI code
might be broken by my request.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 16:00:01 2025 UTC