php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27158 SID put in the wrong place in anchors containing only HTML entities
Submitted: 2004-02-05 10:02 UTC Modified: 2004-02-05 23:19 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: davey@php.net Assigned:
Status: Wont fix Package: Session related
PHP Version: 4.3.4 OS: WinXP SP1 and FreeBSD 4.9
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2004-02-05 10:02 UTC] davey@php.net
Description:
------------
If you have an anchor, whose href is comprised ONLY of HTML entities - a common spam bot deterrent now - the SID is placed after the & from the first entity, breaking the URI.

Also, if the entities are decoded to "mailto:" links, the SID should not be appended at all...

Is it possible to decode before trying to add the SID and then re-HTMLentities?

Reproduce code:
---------------
<?php
session_start();
?>

// Link to mailto:davey@php.net
<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#100;&#97;&#118;&#101;&#121;&#64;&#112;&#104;&#112;&#46;&#110;&#101;&#116;">&#100;&#97;&#118;&#101;&#121;&#64;&#112;&#104;&#112;&#46;&#110;&#101;&#116;</a>

// Link to http://php.net
<a href="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#112;&#104;&#112;&#46;&#110;&#101;&#116;">php.net</a>


Expected result:
----------------
<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#100;&#97;&#118;&#101;&#121;&#64;&#112;&#104;&#112;&#46;&#110;&#101;&#116;">&#100;&#97;&#118;&#101;&#121;&#64;&#112;&#104;&#112;&#46;&#110;&#101;&#116;</a>

<a href="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#112;&#104;&#112;&#46;&#110;&#101;&#116;?PHPSESSID=SID">php.net</a>

Actual result:
--------------
<a href="&?PHPSESSID=d4030b2d6c97a1425c49071bf8b2ab5a#109;&#97;&#105;&#108;&#116;&#111;&#58;&#100;&#97;&#118;&#101;&#121;&#64;&#112;&#104;&#112;&#46;&#110;&#101;&#116;">&#100;&#97;&#118;&#101;&#121;&#64;&#112;&#104;&#112;&#46;&#110;&#101;&#116;</a>

<a href="&?PHPSESSID=d4030b2d6c97a1425c49071bf8b2ab5a#104;&#116;&#116;&#112;&#58;&#47;&#47;&#112;&#104;&#112;&#46;&#110;&#101;&#116;">php.net</a>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-05 23:19 UTC] iliaa@php.net
There is too much room for error with that approach. 
Supporting this syntax properly would be too slow. 
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 08:01:27 2024 UTC