|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53988 xml_parse() reads illegal start character in id-attribute
Submitted: 2011-02-10 22:36 UTC Modified: 2011-02-12 17:06 UTC
From: joschmidt at users dot sourceforge dot net Assigned:
Status: Not a bug Package: *XML functions
PHP Version: Irrelevant OS: Linux Ubuntu 10.10
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: joschmidt at users dot sourceforge dot net
New email:
PHP Version: OS:


 [2011-02-10 22:36 UTC] joschmidt at users dot sourceforge dot net
PHP version: PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:08:14)
libXML Compiled Version: 2.7.7
libXML Loaded Version: 20707

The following invalid XTM 2.0 document (invalid id attribute) is parsed successfully using xml_parse():

<topicMap xmlns="" version="2.0">
  <topic id="2topic">

ID is a derived datatype from XML NCName (see NCNames must not start with [0-9]. NameStartChar is defined as:

NameStartChar ::= ":" | [A-Z] | "_" | [a-z] | [#xC0-#xD6] | [#xD8-#xF6] | [#xF8-#x2FF] | [#x370-#x37D] | [#x37F-#x1FFF] | [#x200C-#x200D] | [#x2070-#x218F] | [#x2C00-#x2FEF] | [#x3001-#xD7FF] | [#xF900-#xFDCF] | [#xFDF0-#xFFFD] | [#x10000-#xEFFFF] 


Test script:
xml_parse() is wrapped in

Expected result:
Parsing of <topic id="2topic"> should throw an appropriate XML error, e.g. XML_ERROR_SYNTAX


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-12 08:38 UTC]
-Status: Open +Status: Bogus
 [2011-02-12 08:38 UTC]
You should use the DOM extension, namely the DOMDocument::validate() method to validate an xml document against a DTD, as the xml_* function does not validate against a DTD, only parses the document.
 [2011-02-12 17:06 UTC] joschmidt at users dot sourceforge dot net
Validation of a DTD is not the case. The given issue is a violation of XML core (namely of "Common Syntactic Constructs", see - not a violation of XTM 2.0 DTD (or any other DTD).
Just as well as xml_parse() e.g. rejects <foo>bar</bar> (throws error "Mismatched tag") illegal id attributes (IMO a common syntactic construct) should also throw a parse error.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 08:01:32 2024 UTC