php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15653 use_trans_sid creates invalid HTML
Submitted: 2002-02-20 21:52 UTC Modified: 2002-02-21 20:28 UTC
From: teilo+php at teilo dot net Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.1.1 OS: Debian GNU Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: teilo+php at teilo dot net
New email:
PHP Version: OS:

 

 [2002-02-20 21:52 UTC] teilo+php at teilo dot net 
When using sessions and trans_sid is enabled local links are re-written to include the SID.  However this re-writing just appends &<sessionname>=SID.  However to comply with HTML standards this needs to be &amp;<sessionname>=SID

(netscape 3.x can't handle these types of links either!)

php4 from debian testing (4.1.1-2)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-21 02:38 UTC] sniper@php.net 
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit http://www.php.net/support.php
 [2002-02-21 11:49 UTC] teilo+php at teilo dot net 
This is not a support question. It is a bug report for PHP!!

PHP is creating INVALID code. 

try the following code with trans.sid enabled

-- test.php
<?php

session_start();


print <<< EOF
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
 <HEAD><TITLE>PHP bug</TITLE>
 <BODY>
  <H1>PHP BUG</H1>
  <A HREF="/anotherfile.php?foo=bar">This will cause invalid HTML after trans_sid has done its work</A>
 </BODY>
</HTML>
EOF;

-- end test.php

-- output from test.php

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>PHP bug</title>
<body>
<h1>PHP BUG</h1>
<a HREF="/anotherfile.php?foo=bar&PHPSESSID=d9ddfafa45d6ed0208ed436fe9bda137">This will cause invalid HTML after trans_sid has done its work</a>
</body>
</html>


-- end output from test.php

check the link ref <a HREF="/anotherfile.php?foo=bar&PHPSESSID=d9ddfafa45d6ed0208ed436fe9bda137">
that is *invalid* HTML & the *must* be escaped.

<SNIP>
Another common error occurs when including a URL which contains an ampersand ("&"):

<!-- This is invalid! --> <a href="foo.cgi?chapter=1&section=2">...</a>

This example generates an error for "unknown entity section" because the "&" is assumed to begin an entity . In many cases, browsers will recover safely from the error, but the example used here will cause the link to fail in Netscape 3.x (but not other versions of Netscape) since it will assume that the author intended to write &sect;ion, which is equivalent to ?ion.

To avoid problems with both validators and browsers, always use &amp; in place of &:

<a href="foo.cgi?chapter=1&amp;section=2">...</a>
</SNIP>
see http://www.htmlhelp.com/tools/validator/problems.html#amp

I suggest you look at the HTML 4.01 spec sec 12.2
http://www.w3.org/TR/html401/struct/links.html#h-12.2

<!ATTLIST A
  ...
  name CDATA #IMPLIED  -- named link end --
  ...
>



<!ENTITY % URI "CDATA"
    -- a Uniform Resource Identifier,
       see [URI]
-->


    * CDATA is a sequence of characters from the document character set and may include character entities. User agents should interpret attribute values as follows:
!!---->   * Replace character entities with characters,
          * Ignore line feeds,
          * Replace each carriage return or tab with a single space.
 [2002-02-21 11:57 UTC] cynic@php.net 
`grep arg_separator php.ini`

this *is* bogus.
 [2002-02-21 12:12 UTC] teilo+php at teilo dot net 
But then the *default* (just '&') is wrong surely?

http://www.php.net/manual/en/function.ini-set.php#AEN56526

grep arg_sep php.ini
;arg_separator.output = "&amp;"
;arg_separator.input = ";&"

IIRC even XHTML need to escape the &
 [2002-02-21 20:28 UTC] yohgaki@php.net 
Of course we know the default is not correct.
We just use legacy one for compatibility.

I might change default for 4.2.0.
 [2004-06-10 16:13 UTC] djik at libertysurf dot fr 
> We just use legacy one for compatibility.

Compatibility with what??! It will be more compatible with all HTML version with &amp; (and <div><input ...></div> in the forms).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 17 18:01:33 2024 UTC