php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75163 filter_var with FILTER_SANITIZE_SPECIAL_CHARS is manipulating data
Submitted: 2017-09-06 11:07 UTC Modified: 2017-09-06 11:33 UTC
From: itsursujit at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.6.31 OS: Ubuntu
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: itsursujit at gmail dot com
New email:
PHP Version: OS:

 

 [2017-09-06 11:07 UTC] itsursujit at gmail dot com 
Description:
------------
I encountered this issue when I tried to sanitize urlencoded variables. Here are the steps with expected and actual results:
Step 1: assign string to variable with encoded characters
     
    $x="I've some comment";

Step 2: decode the variable using `urldecode()`

    $decoded=urldecode($x); //result: I've some comment;
    echo $decoded;
    EXPECTED RESULT:  I've some comment
    ACTUAL RESULT:  I've some comment

Step 3: filter above decoded data and echo the result

    echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
    EXPECTED RESULT:  I've some comment
    ACTUAL RESULT:  I've some comment

Step 4: filter above raw string and echo the result

    echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));
    EXPECTED RESULT:  I've some comment
    ACTUAL RESULT:  I've some comment

I think the Step 3 has some bug.

Test script:
---------------
<?php
$x="I&#39;ve some comment";

$decoded=urldecode($x); //result: I've some comment;
echo $decoded; //result: I've some comment;
echo "\n";
echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
echo "\n";
echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));

Expected result:
----------------
$x="I&#39;ve some comment";
$decoded=urldecode($x); //result: I've some comment;
echo $decoded;
EXPECTED RESULT:  I've some comment

echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
EXPECTED RESULT:  I've some comment

echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));
EXPECTED RESULT:  I've some comment

Actual result:
--------------
$x="I&#39;ve some comment";
$decoded=urldecode($x); //result: I've some comment;
echo $decoded;
ACTUAL RESULT:  I've some comment

echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
ACTUAL RESULT:  I&#39;ve some comment

echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));
ACTUAL RESULT:  I've some comment

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-06 11:33 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-09-06 11:33 UTC] requinix@php.net 
&#39; is not a URL-encoded ("percent-encoded") apostrophe. It is an HTML entity.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 05:00:01 2025 UTC