|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37835 URL rewriting uses raw value of arg_separator.output, not HTML-escaped value
Submitted: 2006-06-18 06:37 UTC Modified: 2006-06-19 07:57 UTC
From: ma499 at doc dot ic dot ac dot uk Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.1.4 OS: n/a
Private report: No CVE-ID: None
 [2006-06-18 06:37 UTC] ma499 at doc dot ic dot ac dot uk
Was previously submitted here and deemed to be bogus:

But I think reviwer of original report ( 
misunderstood. This issue is not bogus.

As reviewer stated, PHPSESSID is appended later, so is not 
translated to &. Hence, in order to produce valid HTML/
XHTML output arg_seperator.output must be set to & and 
is standard practice 

Up until PHP5 this has not been a problem as nothing else 
uses arg_seperator.output.

BUT such a configuration now causes a problem with the new 
http_build_query() in PHP5. The output of that function will 
no longer be valid should the developer want to use in, for 
example, a Location: header (where the & should not be 

This is therefore a bug. I would suggest the problem is with 
the transid code which shoudl escape it's &PHPSESSID output 

Reproduce code:

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-19 07:57 UTC]
http_build_query() in PHP-5.1+ has an optional third "arg_separator" argument.

I suggest, if at all, this is a documentation problem.

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Jun 28 17:05:44 2022 UTC