php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #5254 No bug, feature ;)
Submitted: 2000-06-29 01:00 UTC Modified: 2000-08-30 14:06 UTC
From: bram at doit-e dot net Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 4.0 Latest CVS (29/06/2000) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2000-06-29 01:00 UTC] bram at doit-e dot net 
I think it would be usefull to incorporate the following change in the next release.
--- php-4.0.0-cp/ext/standard/html.c    Thu May 18 21:34:35 2000
+++ php-4.0.0/ext/standard/html.c       Wed Jun 28 10:06:12 2000
@@ -64,6 +64,10 @@
                } else if (34 == *old) {
                        memcpy (new + len, """, 6);
                        len += 6;
+               } else if (39 == *old) {
+                       /* single quote (') */
+                       memcpy (new + len, "'",6);
+                       len += 6;
                } else if (60 == *old) {
                        memcpy (new + len, "<", 4);
                        len += 4;

tnx :)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-07-18 07:03 UTC] hholzgra at cvs dot php dot net 
what for?
 [2000-07-25 12:18 UTC] hholzgra@php.net 
feedback was:

> Because a ' is used for db queries and I think it's pretty > standard behaviour to escape it as well.
> For example if you use PHP together with Javascript, 
> it's much easier if it's escaped.
> And it doesn't break anything I think so why not? :)

so its in cvs now
 [2000-08-30 00:50 UTC] cmv@php.net 
I *really* think this was a bad, bad thing.

It now makes HTMLSpecialChars backwards incompatible 
with older versions of PHP4, not to mention PHP3.

If the original poster wanted to escape single quotes,
then he/she should be using htmlentities(), or urlencode(), or even strtr().

Needless to say, I need to recode a chunk of my site to deal with this "new feature".

Please, please, can we reverse this patch?
 [2000-08-30 07:05 UTC] waldschrott@php.net 
besides, ' is no HTML-SEPCIAL char and *mustn?t* be escaped
(just like double quotes and backslashes mustn?t),
this patch has to be reverted!!!
if he wants to escape single qutes he ought to use
addslashes() which quotes db stuff
 [2000-08-30 07:14 UTC] waldschrott@php.net 
correction: double quotes are HTML-special chars :) single
quote is AFAIK not (except unicodes "left" and "right"
single quotation mark)
 [2000-08-30 10:30 UTC] cmv@php.net 
Yes, the single quote isn't a special HTML character.

If you read the original feature request, you can see that they wanted to use it for DB queries (in which case use addslashes() or turn on magic quotes) and Javascript (in which case ... well, do something else).

Unless I hear otherwise, I am taking this out of the CVS.
 [2000-08-30 14:06 UTC] cmv@php.net 
This has been reverted in the latest CVS.
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Mon Apr 20 17:00:02 2026 UTC