php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #39521 DOMDocument::createElement() does not escape its parameters properly
Submitted: 2006-11-15 06:04 UTC Modified: 2016-06-21 16:14 UTC
Votes:6
Avg. Score:4.8 ± 0.4
Reproduced:5 of 6 (83.3%)
Same Version:1 (20.0%)
Same OS:3 (60.0%)
From: daniel dot oconnor at gmail dot com Assigned: cmb (profile)
Status: Closed Package: DOM XML related
PHP Version: 5.2.0 OS: Windows
Private report: No CVE-ID: None
 [2006-11-15 06:04 UTC] daniel dot oconnor at gmail dot com
Description:
------------
DomDocument::createElement() should warn you if you create invalid XML.



Reproduce code:
---------------
<?php
$string = '<tree><branch>Fun Games &amp;</branch></tree>';

$xml = new SimpleXMLElement($string);

$xml->addChild('actor', 'John & Doe');
print $xml->asXML();

$dom = new domDocument;

$dom->loadXML($string);

$dom->appendChild($dom->createTextNode("fish &amp; & chips"));

$node = $dom->createElement('fish', 'ampersand & this, &amp;');
$dom->appendChild($node);

print $dom->saveXML();

Expected result:
----------------
A warning when you do the createElement about the unfinished entity; or at least when you try the saveXML

Actual result:
--------------
---------- php ----------

Warning: SimpleXMLElement::addChild(): unterminated entity reference             Doe in C:\vx\tests\simplexml.php on line 6
<?xml version="1.0"?>
<tree><branch>Fun Games &amp;</branch><actor>John </actor></tree>
<?xml version="1.0"?>
<tree><branch>Fun Games &amp;</branch></tree>
fish &amp;amp; &amp; chips
<fish>ampersand & this, &amp;</fish>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-08 21:06 UTC] jani@php.net
-Package: Feature/Change Request +Package: DOM XML related
 [2014-04-09 09:29 UTC] thomas at weinert dot info
Description:
------------
The second argument ($value) in DOMDocument::createElement()/DOMDocument::createElementNS() is not escaped properly. To be more exact "&" is not escaped, "<" and ">" are. This result in a warning, and not all content is added to the text node inside the created element node.

Reproduce code:
---------------

$dom = new DOMDocument;
$dom
  ->appendChild($dom->createElement('element', 'B & B'));

echo $dom->saveXml();


Expected result:
----------------

<?xml version="1.0"?>
<element>B &amp; B</element>

Actual result:
--------------

Warning: DOMDocument::createElement(): unterminated entity reference               B in /tmp/execpad-c7cffb3796e4/source-c7cffb3796e4 on line 4
<?xml version="1.0"?>
<element>B </element>

Additional Information
----------------------

The bug can be avoided if the text node is created separately and appended to the element node. 

$dom = new DOMDocument;
$dom
  ->appendChild($dom->createElement('element'))
  ->appendChild($dom->createTextNode('B & B'));

echo $dom->saveXml(), "\n";
 [2015-03-12 10:22 UTC] njean at quechoisir dot org
I very much agree with Thomas here: expected result is the node being added with all special characters being escaped, including ampersand.

So I believe the title of this bug is misleading, it should be called something like "DomDocument::createElement() does not escape its parameters properly".
 [2016-06-21 15:50 UTC] cmb@php.net
-Summary: DomDocument::createElement() should warn you if you create invalid XML. +Summary: DOMDocument::createElement() does not escape its parameters properly -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2016-06-21 15:50 UTC] cmb@php.net
> DomDocument::createElement() should warn you if you create
> invalid XML.

That has been fixed in the meantime as demonstrated by Thomas'
script.

> I very much agree with Thomas here: expected result is the node
> being added with all special characters being escaped, including
> ampersand.

I disagree. If ampersands would be escaped, it wouldn't be
possible to have XML entity references in the value, what is
sometimes necessary.

> To be more exact "&" is not escaped, "<" and ">" are.

This is somewhat inconsistent, but escaping the & is not an
option, in my opinion. However, it's totally unclear to me why
double-quotes also don't get escaped.

Anyhow, changing the behavior of DOMDocument::createElement()
would cause a considerable BC break, and as such requires the RFC
process[1]. Feel free to submit such an RFC.

I'm changing this ticket to doc bug, so at least the behavior
will be documented.

[1] <https://wiki.php.net/rfc/howto>
 [2016-06-21 16:13 UTC] cmb@php.net
-Type: Feature/Change Request +Type: Documentation Problem
 [2016-06-21 16:14 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339438
Log: Fix #39521: DOMDocument::createElement() does not escape its parameters properly
 [2016-06-21 16:14 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-02-07 06:07 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=3e78b76ce4215a4927bf0926de9fbe4594e2e2b8
Log: Fix #39521: DOMDocument::createElement() does not escape its parameters properly
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 13:01:29 2024 UTC