php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #23049 href, textarea, session.use_trans_sid = 1 and session.use_cookies = 0
Submitted: 2003-04-04 06:43 UTC Modified: 2003-04-08 20:32 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: adu@php.net Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.2-RC OS: REDHAT 8
Private report: No CVE-ID: None
View Developer Edit
 [2003-04-04 06:43 UTC] adu@php.net 
Write this into a php file

// START HERE //////////////////////////
<?php session_start(); ?>
<form><textarea><a href=/>ROOT</a></textarea></form>
// END HERE //////////////////////////

If you have
    session.use_trans_sid = 1
    session.use_cookies = 0
in php.ini, href=/ will be replaced with
href="/?PHPSESSID=8c620e45832e417c14f3458c0a826274"
although it is into a textarea.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-08 20:32 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

The <a href> should've been encoded, then the problem would not have occured. Expected behaviour with invalid HTML.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 20 12:00:03 2025 UTC