php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #23049 href, textarea, session.use_trans_sid = 1 and session.use_cookies = 0
Submitted: 2003-04-04 06:43 UTC Modified: 2003-04-08 20:32 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: adu@php.net Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.2-RC OS: REDHAT 8
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: adu@php.net
New email:
PHP Version: OS:

 

 [2003-04-04 06:43 UTC] adu@php.net 
Write this into a php file

// START HERE //////////////////////////
<?php session_start(); ?>
<form><textarea><a href=/>ROOT</a></textarea></form>
// END HERE //////////////////////////

If you have
    session.use_trans_sid = 1
    session.use_cookies = 0
in php.ini, href=/ will be replaced with
href="/?PHPSESSID=8c620e45832e417c14f3458c0a826274"
although it is into a textarea.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-08 20:32 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The <a href> should've been encoded, then the problem would not have occured. Expected behaviour with invalid HTML.
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Sat Feb 07 15:00:02 2026 UTC