php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53988 xml_parse() reads illegal start character in id-attribute
Submitted: 2011-02-10 22:36 UTC Modified: 2011-02-12 17:06 UTC
From: joschmidt at users dot sourceforge dot net Assigned:
Status: Not a bug Package: *XML functions
PHP Version: Irrelevant OS: Linux Ubuntu 10.10
Private report: No CVE-ID: None
 [2011-02-10 22:36 UTC] joschmidt at users dot sourceforge dot net
Description:
------------
PHP version: PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:08:14)
libXML Compiled Version: 2.7.7
libXML Loaded Version: 20707

The following invalid XTM 2.0 document (invalid id attribute) is parsed successfully using xml_parse():

<topicMap xmlns="http://www.topicmaps.org/xtm/" version="2.0">
  <topic id="2topic">
  </topic>
</topicMap>

ID is a derived datatype from XML NCName (see http://www.w3.org/TR/xmlschema-2/#NCName). NCNames must not start with [0-9]. NameStartChar is defined as:

NameStartChar ::= ":" | [A-Z] | "_" | [a-z] | [#xC0-#xD6] | [#xD8-#xF6] | [#xF8-#x2FF] | [#x370-#x37D] | [#x37F-#x1FFF] | [#x200C-#x200D] | [#x2070-#x218F] | [#x2C00-#x2FEF] | [#x3001-#xD7FF] | [#xF900-#xFDCF] | [#xFDF0-#xFFFD] | [#x10000-#xEFFFF] 

(see http://www.w3.org/TR/xml11/#sec-common-syn)


Test script:
---------------
xml_parse() is wrapped in http://quaaxtm.svn.sourceforge.net/viewvc/quaaxtm/trunk/lib/quaaxtmio/src/in/XTM201TopicMapReader.class.php?revision=400

Expected result:
----------------
Parsing of <topic id="2topic"> should throw an appropriate XML error, e.g. XML_ERROR_SYNTAX


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-12 08:38 UTC] kalle@php.net
-Status: Open +Status: Bogus
 [2011-02-12 08:38 UTC] kalle@php.net
You should use the DOM extension, namely the DOMDocument::validate() method to validate an xml document against a DTD, as the xml_* function does not validate against a DTD, only parses the document.
 [2011-02-12 17:06 UTC] joschmidt at users dot sourceforge dot net
Validation of a DTD is not the case. The given issue is a violation of XML core (namely of "Common Syntactic Constructs", see http://www.w3.org/TR/xml11/#sec-common-syn) - not a violation of XTM 2.0 DTD (or any other DTD).
Just as well as xml_parse() e.g. rejects <foo>bar</bar> (throws error "Mismatched tag") illegal id attributes (IMO a common syntactic construct) should also throw a parse error.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Dec 07 22:04:14 2022 UTC