php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25248 SESSION encoding in urls should use HTML entities not ampersands
Submitted: 2003-08-26 06:06 UTC Modified: 2003-08-26 06:31 UTC
From: js at nomensa dot com Assigned:
Status: Not a bug Package: Output Control
PHP Version: 4.3.2 OS: all
Private report: No CVE-ID: None
 [2003-08-26 06:06 UTC] js at nomensa dot com
Description:
------------
When cookies are disabled php encodes a session id in the output urls.

It currently uses single ampersands '&' but this is illegal in XHTML (and slightly illegal in HTML), the ampersand character in <a> links etc should be encoded as the entity '&amp;'.

Additionally semi-colons could also be used to get around this whole mess.

Actually, I prefer semi-colons. It would be good if PHP supported this.

Reproduce code:
---------------
Go to this link with cookies off:

http://alastc.homeip.net/alastairc/page.php



Expected result:
----------------
Url should be encoded properly:

Should be written as:

<li><a href="page.php?domain=&amp;type=news&amp;PHPSESSID=ef38d5d3bc286f6e1de5581003d710d5">News</a></li>

Actual result:
--------------
Links are written illegally:

<li><a href="page.php?domain=&amp;type=news&PHPSESSID=ef38d5d3bc286f6e1de5581003d710d5">News</a></li>


This fails the DTD check under XHTML 1.0 (strict)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-26 06:31 UTC] derick@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

See the php.ini setting arg_separator.output
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC