PHP :: Bug #57927 :: Be careful with special chars when generating xml

Bug #57927	Be careful with special chars when generating xml
Submitted:	2007-11-23 12:27 UTC	Modified:	2017-01-10 08:10 UTC
From:	mfp@php.net	Assigned:
Status:	Suspended	Package:	SCA_SDO (PECL)
PHP Version:	5.2.1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mfp@php.net
New email:
PHP Version:		OS:

New Comment:

[2007-11-23 12:27 UTC] mfp@php.net

Description:
------------
We had a conversation on the google group as follows, relating to the possibility of generating xml without the necessary escaping:

Hi Caroline,
well spotted. There are places in both the wsdl generation and in the xmlrpc binding that we generate xml by simply sticking strings together ( I searched for "</" ).

We should probably edit the variables that we are using to make sure they don't contain dodgy characters. I think they are only ever values that we pull out of the annotations e.g. from @param and so forth, but we should be careful. I will raise a pecl bug to track it. 

Matthew

On Nov 23, 4:33 pm, Caroline Maynard <c...@php.net> wrote:
> Caroline Maynard wrote:
> > Caroline Maynard wrote:
> > Matthew, I see you've found a Tuscany problem
> > (http://issues.apache.org/jira/browse/TUSCANY-1553) already open for
> > this. Even if that gets fixed though, I don't think we can always depend
> > on Tuscany - the SCA code generates some xml itself in places, does it
> > not? - so we have to be prepared with the htmlentities($in, ENT_QUOTES)
> > or its internal equivalent, I think.
> 
> ... but not substituting within CDATA sections, of course ...

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-10 08:10 UTC] kalle@php.net

-Status: Open +Status: Suspended

[2017-01-10 08:10 UTC] kalle@php.net

Suspending this report as the extension have not had a release for almost 9 years.  Please revive this if the extension once again shows life

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Sep 08 01:01:28 2024 UTC