PHP :: Bug #62683 :: FILTER_SANITIZE_SPECIAL_CHARS does not work as declared

Bug #62683

FILTER_SANITIZE_SPECIAL_CHARS does not work as declared

Submitted:

2012-07-28 12:22 UTC

Modified:

2014-01-13 01:39 UTC

Votes:	5
Avg. Score:	4.6 ± 0.8
Reproduced:	4 of 4 (100.0%)
Same Version:	3 (75.0%)
Same OS:	4 (100.0%)

From:

admin dot windows at gmail dot com

Assigned:

requinix (profile)

Status:

Closed

Package:

Filter related

PHP Version:

5.3.15

OS:

Windows/Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	admin dot windows at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-07-28 12:22 UTC] admin dot windows at gmail dot com

Description:
------------
FILTER_SANITIZE_SPECIAL_CHARS and FILTER_SANITIZE_FULL_SPECIAL_CHARS does not work 
as documented and produced results does not match htmlspecialchars results at all.



Test script:
---------------
$string = "<a href=\"#\">O'Reilly - PHP Tips & Tricks</a>";

//string '<a href="#">O'Reilly - PHP Tips & Tricks</a>' (length=44)
var_dump($string);


//string '&lt;a href=&quot;#&quot;&gt;O&#039;Reilly - PHP Tips &amp; Tricks&lt;/a&gt;' (length=75)
var_dump(htmlspecialchars($string, ENT_QUOTES));

//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; Tricks&#60;/a&#62;' (length=76)
var_dump(filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS));

//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; Tricks&#60;/a&#62;' (length=76)
var_dump(filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS));

Expected result:
----------------
//string '&lt;a href=&quot;#&quot;&gt;O&#039;Reilly - PHP Tips &amp; 
Tricks&lt;/a&gt;' (length=75)

Actual result:
--------------
//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; 
Tricks&#60;/a&#62;' (length=76)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-13 00:51 UTC] shensiapoost at yahoo dot com

According to http://www.php.net/manual/en/filter.filters.sanitize.php, only FILTER_SANITIZE_FULL_SPECIAL_CHARS is equal to htmlspecialchars(). Therefore, FILTER_SANITIZE_SPECIAL_CHARS is acting like it should.

The reason you are seeing FILTER_SANITIZE_FULL_SPECIAL_CHARS not produce the right results is because of https://bugs.php.net/bug.php?id=65282. Because of this bug, if you used the FILTER_SANITIZE_FULL_SPECIAL_CHARS constant, you were essentially calling FILTER_SANITIZE_SPECIAL_CHARS. Thus, why the two produce the same result.

[2014-01-13 01:39 UTC] requinix@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: requinix

[2014-01-13 01:39 UTC] requinix@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 07:01:28 2025 UTC