php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #39521 DOMDocument::createElement() does not escape its parameters properly
Submitted: 2006-11-15 06:04 UTC Modified: 2016-06-21 16:14 UTC
Votes:6
Avg. Score:4.8 ± 0.4
Reproduced:5 of 6 (83.3%)
Same Version:1 (20.0%)
Same OS:3 (60.0%)
From: daniel dot oconnor at gmail dot com Assigned: cmb (profile)
Status: Closed Package: DOM XML related
PHP Version: 5.2.0 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daniel dot oconnor at gmail dot com
New email:
PHP Version: OS:

 

 [2006-11-15 06:04 UTC] daniel dot oconnor at gmail dot com 
Description:
------------
DomDocument::createElement() should warn you if you create invalid XML.



Reproduce code:
---------------
<?php
$string = '<tree><branch>Fun Games &amp;</branch></tree>';

$xml = new SimpleXMLElement($string);

$xml->addChild('actor', 'John & Doe');
print $xml->asXML();

$dom = new domDocument;

$dom->loadXML($string);

$dom->appendChild($dom->createTextNode("fish &amp; & chips"));

$node = $dom->createElement('fish', 'ampersand & this, &amp;');
$dom->appendChild($node);

print $dom->saveXML();

Expected result:
----------------
A warning when you do the createElement about the unfinished entity; or at least when you try the saveXML

Actual result:
--------------
---------- php ----------

Warning: SimpleXMLElement::addChild(): unterminated entity reference             Doe in C:\vx\tests\simplexml.php on line 6
<?xml version="1.0"?>
<tree><branch>Fun Games &amp;</branch><actor>John </actor></tree>
<?xml version="1.0"?>
<tree><branch>Fun Games &amp;</branch></tree>
fish &amp;amp; &amp; chips
<fish>ampersand & this, &amp;</fish>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-08 21:06 UTC] jani@php.net
-Package: Feature/Change Request +Package: DOM XML related
 [2014-04-09 09:29 UTC] thomas at weinert dot info 
Description:
------------
The second argument ($value) in DOMDocument::createElement()/DOMDocument::createElementNS() is not escaped properly. To be more exact "&" is not escaped, "<" and ">" are. This result in a warning, and not all content is added to the text node inside the created element node.

Reproduce code:
---------------

$dom = new DOMDocument;
$dom
  ->appendChild($dom->createElement('element', 'B & B'));

echo $dom->saveXml();


Expected result:
----------------

<?xml version="1.0"?>
<element>B &amp; B</element>

Actual result:
--------------

Warning: DOMDocument::createElement(): unterminated entity reference               B in /tmp/execpad-c7cffb3796e4/source-c7cffb3796e4 on line 4
<?xml version="1.0"?>
<element>B </element>

Additional Information
----------------------

The bug can be avoided if the text node is created separately and appended to the element node. 

$dom = new DOMDocument;
$dom
  ->appendChild($dom->createElement('element'))
  ->appendChild($dom->createTextNode('B & B'));

echo $dom->saveXml(), "\n";
 [2015-03-12 10:22 UTC] njean at quechoisir dot org 
I very much agree with Thomas here: expected result is the node being added with all special characters being escaped, including ampersand.

So I believe the title of this bug is misleading, it should be called something like "DomDocument::createElement() does not escape its parameters properly".
 [2016-06-21 15:50 UTC] cmb@php.net
-Summary: DomDocument::createElement() should warn you if you create invalid XML. +Summary: DOMDocument::createElement() does not escape its parameters properly -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2016-06-21 15:50 UTC] cmb@php.net 
> DomDocument::createElement() should warn you if you create
> invalid XML.

That has been fixed in the meantime as demonstrated by Thomas'
script.

> I very much agree with Thomas here: expected result is the node
> being added with all special characters being escaped, including
> ampersand.

I disagree. If ampersands would be escaped, it wouldn't be
possible to have XML entity references in the value, what is
sometimes necessary.

> To be more exact "&" is not escaped, "<" and ">" are.

This is somewhat inconsistent, but escaping the & is not an
option, in my opinion. However, it's totally unclear to me why
double-quotes also don't get escaped.

Anyhow, changing the behavior of DOMDocument::createElement()
would cause a considerable BC break, and as such requires the RFC
process[1]. Feel free to submit such an RFC.

I'm changing this ticket to doc bug, so at least the behavior
will be documented.

[1] <https://wiki.php.net/rfc/howto>
 [2016-06-21 16:13 UTC] cmb@php.net
-Type: Feature/Change Request +Type: Documentation Problem
 [2016-06-21 16:14 UTC] cmb@php.net 
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339438
Log: Fix #39521: DOMDocument::createElement() does not escape its parameters properly
 [2016-06-21 16:14 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-02-07 06:07 UTC] phpdocbot@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=3e78b76ce4215a4927bf0926de9fbe4594e2e2b8
Log: Fix #39521: DOMDocument::createElement() does not escape its parameters properly
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 19:01:31 2024 UTC