|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47532 DOMAttribute value getter and setter do not escape equally
Submitted: 2009-02-28 16:13 UTC Modified: 2010-02-14 13:31 UTC
Avg. Score:4.3 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: sgunderson at bigfoot dot com Assigned:
Status: Wont fix Package: DOM XML related
PHP Version: 5.3CVS-2009-02-28 (snap) OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: sgunderson at bigfoot dot com
New email:
PHP Version: OS:


 [2009-02-28 16:13 UTC] sgunderson at bigfoot dot com
When you fetch the "value" field of a DOMAttribute, it seems to unescape any HTML (or perhaps XML?) entities present. However, when you set it, it does not get escaped. In other words, if you do "$attr->value = $attr->value" (which really should be a no-op!) as in the example below, you will get errors if it happened to contain &.

Verified with PHP 5.2.6 and 5.3.0 snap (2008-02-28).

Reproduce code:

$doc = new DOMDocument;
$doc->loadXML('<html><element /></html>');
$elem = $doc->documentElement->firstChild;
$attr = $doc->createAttribute("foo");
$attr->value = "foo&amp;bar";
$attr->value = $attr->value;
print $doc->saveXML();


Expected result:
<?xml version="1.0"?>
<html><element foo="foo&amp;bar"/></html>

Actual result:
Warning: main(): unterminated entity reference             bar in /home/sesse/test3.php on line 8
<?xml version="1.0"?>
<html><element foo="foo"/></html>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-02-14 13:31 UTC]
Changing this would break some long standing BC. The problem is really 
in setting the attribute value. The workaround for this is to use 
something like htmlspecialchars when setting a DOMAttr->value using 
another DOMAttr->value
 [2010-05-31 08:53 UTC] nospaces at eatmorespuds dot com
Might be good to ensure this appears in the PHP documentation.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed May 22 07:01:34 2024 UTC