php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37835 URL rewriting uses raw value of arg_separator.output, not HTML-escaped value
Submitted: 2006-06-18 06:37 UTC Modified: 2006-06-19 07:57 UTC
From: ma499 at doc dot ic dot ac dot uk Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.1.4 OS: n/a
Private report: No CVE-ID: None
 [2006-06-18 06:37 UTC] ma499 at doc dot ic dot ac dot uk
Description:
------------
Was previously submitted here and deemed to be bogus:
http://bugs.php.net/bug.php?id=30049

But I think reviwer of original report (nlopess@php.net) 
misunderstood. This issue is not bogus.

As reviewer stated, PHPSESSID is appended later, so is not 
translated to &. Hence, in order to produce valid HTML/
XHTML output arg_seperator.output must be set to & and 
is standard practice 

Up until PHP5 this has not been a problem as nothing else 
uses arg_seperator.output.

BUT such a configuration now causes a problem with the new 
http_build_query() in PHP5. The output of that function will 
no longer be valid should the developer want to use in, for 
example, a Location: header (where the & should not be 
escaped).

This is therefore a bug. I would suggest the problem is with 
the transid code which shoudl escape it's &PHPSESSID output 
to &PHPSESSID.

Reproduce code:
---------------
See http://bugs.php.net/bug.php?id=30049

Expected result:
----------------
See http://bugs.php.net/bug.php?id=30049

Actual result:
--------------
See http://bugs.php.net/bug.php?id=30049

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-19 07:57 UTC] mike@php.net
http_build_query() in PHP-5.1+ has an optional third "arg_separator" argument.

I suggest, if at all, this is a documentation problem.

 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 19 22:01:28 2020 UTC