php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75187 Unexpected extra characters output in file/page.
Submitted: 2017-09-11 12:40 UTC Modified: 2017-09-15 07:22 UTC
From: frederic dot nicolas_xkpad at laposte dot net Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 7.0.23 OS: DSM 6.1.3-15152 Update 4
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: frederic dot nicolas_xkpad at laposte dot net
New email:
PHP Version: OS:

 

 [2017-09-11 12:40 UTC] frederic dot nicolas_xkpad at laposte dot net 
Description:
------------
Unexpected extra characters output in file/page, creating not working page when these unexpected characters interfer with JS/Html code in the output page.
Exemple provided.

According to tests on my side regarding this exemple:
- can change the letter "a" (in "<a") to whatever letter + add other letters
- cannot suppress other character after "<script>" but lot more character can be added in the <script>..</script> part
- the position of the unexpected extra character changes according to the number of characters/line in the <script>..</script> part

In the code where I noticed the problem, there where many characters before the <script> part, which itself included several JS functions. The unexepected extra character make the JS not working.

Test script:
---------------
<html>
<?php 
$z = 98270;
for ($i=0; $i<$z; $i++)	echo "q";
?>
<script>
<!--
<a
-->
</script>
</html>

Expected result:
----------------
<html>
....qq<script>
<!--
<a
--></script>
</html>

Actual result:
--------------
<html>
....qq<script>
<!--
<a
--></a/script>
</html>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-11 12:58 UTC] spam2 at rhsoft dot net 
this is simply not true and even not possible with the code you have given because PHP ends with "?>" and anything after that is echoed as it is - you pretty sure took some random code as sample while there where you see that output much more and likely output buffers are involved

[harry@rh:/mnt/data/downloads]$ php test.php
<html>
qqqqqqqqqq<script>
<!--
<a
-->
</script>
</html>

[harry@rh:/mnt/data/downloads]$ cat test.php
<html>
<?php
$z = 10;
for ($i=0; $i<$z; $i++) echo "q";
?>
<script>
<!--
<a
-->
</script>
</html>
 [2017-09-11 13:56 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2017-09-11 13:56 UTC] requinix@php.net 
This is highly unlikely to be a bug with PHP. Keep looking.
 [2017-09-15 06:37 UTC] frederic dot nicolas_xkpad at laposte dot net
-Status: Feedback +Status: Open
 [2017-09-15 06:37 UTC] frederic dot nicolas_xkpad at laposte dot net 
I've received some comments indicating that 'this is not true'. Well just try the sample code & see for yourself. The bug happens on php 5 & 7. I suppose this is an overflow.
Make sure to use $z=98270 (and not different value) otherwise the extra character will not appear in the very short code I've put after the ?> to make the sample code.
If longer code is used after ?> then other value for $z can be used. 
This bug appeared in my real code (where $z of course was not a loop but include, echo & the like)
 [2017-09-15 07:11 UTC] frederic dot nicolas_xkpad at laposte dot net 
@requinix : Thx for your feedback, after a while your point (..end with ?>) get to me => I've tried with other browsers than chrome and was not able to reproduce the bug, while it is systematic with chrome. 
So I guess this is more a browser bug than a PHP bug. 
Furthermore, I do not use the latest version of chrome... 
Sorry to have took of your time. It took a while for me to get what was bugging & because the bug was related to the PHP code (changing $z was changing the place of the unexpected character) I (wrongly)thought it was PHP dependant.
 [2017-09-15 07:22 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-09-15 07:22 UTC] requinix@php.net 
Don't rely on what you see rendered in the browser to know what PHP did. Always View Source.

It may very well have been a bug with Chrome; I searched through the Chromium bug tracker briefly but didn't see anything.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 13 14:01:31 2025 UTC