PHP :: Bug #62683 :: FILTER_SANITIZE_SPECIAL_CHARS does not work as declared

Bug #62683

FILTER_SANITIZE_SPECIAL_CHARS does not work as declared

Submitted:

2012-07-28 12:22 UTC

Modified:

2014-01-13 01:39 UTC

Votes:	5
Avg. Score:	4.6 ± 0.8
Reproduced:	4 of 4 (100.0%)
Same Version:	3 (75.0%)
Same OS:	4 (100.0%)

From:

admin dot windows at gmail dot com

Assigned:

requinix (profile)

Status:

Closed

Package:

Filter related

PHP Version:

5.3.15

OS:

Windows/Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	admin dot windows at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2012-07-28 12:22 UTC] admin dot windows at gmail dot com

Description:
------------
FILTER_SANITIZE_SPECIAL_CHARS and FILTER_SANITIZE_FULL_SPECIAL_CHARS does not work 
as documented and produced results does not match htmlspecialchars results at all.



Test script:
---------------
$string = "<a href=\"#\">O'Reilly - PHP Tips & Tricks</a>";

//string '<a href="#">O'Reilly - PHP Tips & Tricks</a>' (length=44)
var_dump($string);


//string '&lt;a href=&quot;#&quot;&gt;O&#039;Reilly - PHP Tips &amp; Tricks&lt;/a&gt;' (length=75)
var_dump(htmlspecialchars($string, ENT_QUOTES));

//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; Tricks&#60;/a&#62;' (length=76)
var_dump(filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS));

//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; Tricks&#60;/a&#62;' (length=76)
var_dump(filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS));

Expected result:
----------------
//string '&lt;a href=&quot;#&quot;&gt;O&#039;Reilly - PHP Tips &amp; 
Tricks&lt;/a&gt;' (length=75)

Actual result:
--------------
//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; 
Tricks&#60;/a&#62;' (length=76)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-01-13 00:51 UTC] shensiapoost at yahoo dot com

According to http://www.php.net/manual/en/filter.filters.sanitize.php, only FILTER_SANITIZE_FULL_SPECIAL_CHARS is equal to htmlspecialchars(). Therefore, FILTER_SANITIZE_SPECIAL_CHARS is acting like it should.

The reason you are seeing FILTER_SANITIZE_FULL_SPECIAL_CHARS not produce the right results is because of https://bugs.php.net/bug.php?id=65282. Because of this bug, if you used the FILTER_SANITIZE_FULL_SPECIAL_CHARS constant, you were essentially calling FILTER_SANITIZE_SPECIAL_CHARS. Thus, why the two produce the same result.

[2014-01-13 01:39 UTC] requinix@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: requinix

[2014-01-13 01:39 UTC] requinix@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 23:01:28 2024 UTC