PHP :: Doc Bug #39521 :: DOMDocument::createElement() does not escape its parameters properly

DOMDocument::createElement() does not escape its parameters properly

Submitted:

2006-11-15 06:04 UTC

Modified:

2016-06-21 16:14 UTC

Votes:	6
Avg. Score:	4.8 ± 0.4
Reproduced:	5 of 6 (83.3%)
Same Version:	1 (20.0%)
Same OS:	3 (60.0%)

From:

daniel dot oconnor at gmail dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

DOM XML related

PHP Version:

5.2.0

OS:

Windows

Private report:

CVE-ID:

None

View Developer Edit

[2006-11-15 06:04 UTC] daniel dot oconnor at gmail dot com

Description:
------------
DomDocument::createElement() should warn you if you create invalid XML.



Reproduce code:
---------------
<?php
$string = '<tree><branch>Fun Games &amp;</branch></tree>';

$xml = new SimpleXMLElement($string);

$xml->addChild('actor', 'John & Doe');
print $xml->asXML();

$dom = new domDocument;

$dom->loadXML($string);

$dom->appendChild($dom->createTextNode("fish &amp; & chips"));

$node = $dom->createElement('fish', 'ampersand & this, &amp;');
$dom->appendChild($node);

print $dom->saveXML();

Expected result:
----------------
A warning when you do the createElement about the unfinished entity; or at least when you try the saveXML

Actual result:
--------------
---------- php ----------

Warning: SimpleXMLElement::addChild(): unterminated entity reference             Doe in C:\vx\tests\simplexml.php on line 6
<?xml version="1.0"?>
<tree><branch>Fun Games &amp;</branch><actor>John </actor></tree>
<?xml version="1.0"?>
<tree><branch>Fun Games &amp;</branch></tree>
fish &amp;amp; &amp; chips
<fish>ampersand & this, &amp;</fish>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-04-08 21:06 UTC] jani@php.net

-Package: Feature/Change Request +Package: DOM XML related

[2014-04-09 09:29 UTC] thomas at weinert dot info

Description:
------------
The second argument ($value) in DOMDocument::createElement()/DOMDocument::createElementNS() is not escaped properly. To be more exact "&" is not escaped, "<" and ">" are. This result in a warning, and not all content is added to the text node inside the created element node.

Reproduce code:
---------------

$dom = new DOMDocument;
$dom
  ->appendChild($dom->createElement('element', 'B & B'));

echo $dom->saveXml();


Expected result:
----------------

<?xml version="1.0"?>
<element>B &amp; B</element>

Actual result:
--------------

Warning: DOMDocument::createElement(): unterminated entity reference               B in /tmp/execpad-c7cffb3796e4/source-c7cffb3796e4 on line 4
<?xml version="1.0"?>
<element>B </element>

Additional Information
----------------------

The bug can be avoided if the text node is created separately and appended to the element node. 

$dom = new DOMDocument;
$dom
  ->appendChild($dom->createElement('element'))
  ->appendChild($dom->createTextNode('B & B'));

echo $dom->saveXml(), "\n";

[2015-03-12 10:22 UTC] njean at quechoisir dot org

I very much agree with Thomas here: expected result is the node being added with all special characters being escaped, including ampersand.

So I believe the title of this bug is misleading, it should be called something like "DomDocument::createElement() does not escape its parameters properly".

[2016-06-21 15:50 UTC] cmb@php.net

-Summary: DomDocument::createElement() should warn you if you create invalid XML. +Summary: DOMDocument::createElement() does not escape its parameters properly -Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2016-06-21 15:50 UTC] cmb@php.net

> DomDocument::createElement() should warn you if you create
> invalid XML.

That has been fixed in the meantime as demonstrated by Thomas'
script.

> I very much agree with Thomas here: expected result is the node
> being added with all special characters being escaped, including
> ampersand.

I disagree. If ampersands would be escaped, it wouldn't be
possible to have XML entity references in the value, what is
sometimes necessary.

> To be more exact "&" is not escaped, "<" and ">" are.

This is somewhat inconsistent, but escaping the & is not an
option, in my opinion. However, it's totally unclear to me why
double-quotes also don't get escaped.

Anyhow, changing the behavior of DOMDocument::createElement()
would cause a considerable BC break, and as such requires the RFC
process[1]. Feel free to submit such an RFC.

I'm changing this ticket to doc bug, so at least the behavior
will be documented.

[1] <https://wiki.php.net/rfc/howto>

[2016-06-21 16:13 UTC] cmb@php.net

-Type: Feature/Change Request +Type: Documentation Problem

[2016-06-21 16:14 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339438
Log: Fix #39521: DOMDocument::createElement() does not escape its parameters properly

[2016-06-21 16:14 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2020-02-07 06:07 UTC] phpdocbot@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=3e78b76ce4215a4927bf0926de9fbe4594e2e2b8
Log: Fix #39521: DOMDocument::createElement() does not escape its parameters properly

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 21:00:02 2025 UTC