php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #57059 Sanitize string : encode amp
Submitted: 2006-06-02 09:33 UTC Modified: 2006-11-09 20:16 UTC
From: c dot lecocq at pixandlog dot com Assigned:
Status: Not a bug Package: filter (PECL)
PHP Version: Irrelevant OS: Gentoo Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: c dot lecocq at pixandlog dot com
New email:
PHP Version: OS:

 

 [2006-06-02 09:33 UTC] c dot lecocq at pixandlog dot com 
Description:
------------
When used with FILTER_FLAG_ENCODE_AMP flag, the SANITIZE_STRING filter re-encode '&' who came from current encoding.
(ex: ' -> ' -> ')

Reproduce code:
---------------
<?php
$variable = "abc&def'ghi";
var_dump(filter_data($variable, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_AMP));
?>


Expected result:
----------------
string(23) "abc&#38;def&#39;ghi"

Actual result:
--------------
string(23) "abc&#38;def&#38;#39;ghi"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-02 10:45 UTC] c dot lecocq at pixandlog dot com 
Description:
------------
FILTER_UNSAFE_RAW dont seem to have the same bug...

Reproduce code:
---------------
<?php
$variable = "abc&d?fghi";
var_dump(filter_data($variable, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP));
var_dump(filter_data($variable, FILTER_UNSAFE_RAW, FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP));
?>

Expected result:
----------------
string(19) "abc&#38;d&#233;fghi"
string(19) "abc&#38;d&#233;fghi"

Actual result:
--------------
string(23) "abc&#38;d&#38;#233;fghi"
string(19) "abc&#38;d&#233;fghi"
 [2006-11-09 20:16 UTC] ilia at prohost dot org 
Thank you for taking the time to write to us, but this is not
a bug.

Sanitize string causes php to encode ' into html entity. Then 
you apply the encode amp flag, which converts all & including 
that part of the ' entity into html entities, subsequently 
causing double encoding.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 16:01:31 2025 UTC