php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14080 (trans sid bug) The doubledoublequote strikes again
Submitted: 2001-11-16 05:56 UTC Modified: 2002-09-25 05:41 UTC
Votes:3
Avg. Score:4.0 ± 0.8
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: fischer at ms-net dot de Assigned:
Status: Closed Package: Session related
PHP Version: 4.2.0-dev OS: ANY
Private report: No CVE-ID: None
 [2001-11-16 05:56 UTC] fischer at ms-net dot de
I came across the bug described in Bug-ID #8311 with 4.03pl1
on our old Server, so I transfered it to the new Server running 4.0.6 and the behaviour is nearly the same.
This:
<?php
session_start();
$somevar = "<a href=\"javascript:;\" onClick=window.open(\"/hardware/somevar.php?hinfoid=".$somevar_id."\",\"chgti\",\"location=0,directories=0,status=0,menubar=0,scrollbars=0,toolbar=0,width=450,height=470\");>Badlink</a>";
echo $somevar;
?>

produces this:
<a href="javascript:;" onClick="window.open(""/hardware/somevar.php?hinfoid=","chgti","location=0,directories=0,status=0,menubar=0,scrollbars=0,toolbar=0,width=450,height=470");>Badlink</a>

Without the session, the Output is normal, both with 4.0.3pl1 and 4.06.
The only difference is that 4.0.6 does a few less quotes than 4.0.3pl1.

Trans-SID is enabled, PHP is running as an Apache-Module



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-19 12:47 UTC] bate@php.net
I got the same problem.
Tryed with 4.2.0-dev.

 [2001-12-19 22:54 UTC] yohgaki@php.net
PHP Version updated
 [2002-01-24 15:15 UTC] fischer at ms-net dot de
still active, see also Bug #14991
 [2002-02-03 20:00 UTC] yohgaki@php.net
Added "trans sid bug" to summary
 [2002-09-25 05:41 UTC] sas@php.net
Has been fixed in 4.3 CVS.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Feb 06 12:03:42 2023 UTC