php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #20968 Session rewriter misses a case
Submitted: 2002-12-12 11:42 UTC Modified: 2002-12-20 04:37 UTC
From: CharlesK at netgaintechnology dot com Assigned:
Status: Wont fix Package: Session related
PHP Version: 4.2.3 OS: Windows 2000
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: CharlesK at netgaintechnology dot com
New email:
PHP Version: OS:

 

 [2002-12-12 11:42 UTC] CharlesK at netgaintechnology dot com 
Whe html is written with javascript and trans sid is used,  The javascript may get messed up.

ie 
<script LANGUAGE=JavaScript1.2>
    str += "<form name=reptoc>";
</script>
becomes
<script LANGUAGE=JavaScript1.2>
    str += "<form name="reptoc"><input type="hidden" name="PHPSESSID" value="some value" />";
</script>

This produces a parse error because the quotes are breaking the string.

Thanks
Charles Killmer

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-12-12 11:49 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip
 [2002-12-12 12:29 UTC] CharlesK at netgaintechnology dot com 
The cvs behaves differently but still the same error

str += "<form name=reptoc><input type="hidden" name="PHPSESSID" value="some value" />";

It doesnt put quotes around the reptoc but it still puts bad quotes around the type="hidden" and others.

Charles
 [2002-12-13 03:02 UTC] sniper@php.net 
Use single quotes in your script. Not a bug.
 [2002-12-13 08:03 UTC] CharlesK at netgaintechnology dot com 
The javascript is generated code from a product by a dll.  I have no access to modifying the html.

The only workaround I have is to not use trans sid.  But then clients without cookies cannot access it.  

I do not believe this behavior is intentional.

Charles
 [2002-12-13 08:05 UTC] derick@php.net 
It is intentional
 [2002-12-20 04:37 UTC] yohgaki@php.net 
"Won't fix" would be better for searching these things.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 10:01:28 2024 UTC