php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62013 Htmlentities doesn't convert the characters (,),: to a named entity
Submitted: 2012-05-13 01:01 UTC Modified: 2012-05-13 01:53 UTC
From: c dot noesterer at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.3 OS: Linux 3.3.4-1-ARCH
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: c dot noesterer at gmail dot com
New email:
PHP Version: OS:

 

 [2012-05-13 01:01 UTC] c dot noesterer at gmail dot com 
Description:
------------
Htmlentities doesn't convert the characters (,),: to a named entity.

Therefore a XSS-attack works for the script attached:
?test=javascript:alert(1);

Test script:
---------------
<!DOCTYPE html>
<html>
<head>
<title>Test</title>
</head>
<body>
<?php
echo '<a href='.htmlentities($_GET["test"]).'>test</a>';
?>
</body>
</html>


Expected result:
----------------
<a href=javascript&colon;alert&lpar;1&rpar;>test</a>

Actual result:
--------------
<a href=javascript:alert(1);>test</a>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-13 01:53 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2012-05-13 01:53 UTC] rasmus@php.net 
You are using the wrong function. htmlentities() for encoding entities special to 
HTML. Inside an href tag you don't have HTML, you have a URL so you need to use 
urlencode().
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC