php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55174 htmlspecialchars buggy
Submitted: 2011-07-11 07:05 UTC Modified: 2011-07-12 03:16 UTC
From: development at dayside dot net Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.4.0alpha1 OS: winxp sp3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: development at dayside dot net
New email:
PHP Version: OS:

 

 [2011-07-11 07:05 UTC] development at dayside dot net 
Description:
------------
when any string contains any char of these -> äöüß 
and the string is processed with htmlspecialchars it results in an empty string...

Test script:
---------------
<?php 

echo htmlspecialchars('Test123 äöüß');

?>

Actual result:
--------------
nothin...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-11 10:16 UTC] cataphract@php.net
-Status: Open +Status: Bogus
 [2011-07-11 10:16 UTC] cataphract@php.net 
The default encoding as of PHP 5.4 is UTF-8 (it was ISO-8859-1 before). Therefore, if your string is in ISO-8859-1, you must specify the encoding.

Closing as bogus.
 [2011-07-11 12:34 UTC] rasmus@php.net 
You can also set your default_charset back to iso-8859-1 in your php.ini file, but really these days you should be using utf-8.
 [2011-07-12 01:26 UTC] development at dayside dot net 
correct me if i'm wrong, but this function returns nothin' in case of 'Test123'
and thats okay ? 
...and not everyone is allowed to change that php.ini setting

in some cases as a user you dont know which encoding is used... 
in such a case htmlspecialchars discards all data... thats a fantastic idea..
 [2011-07-12 03:16 UTC] rasmus@php.net 
That's the only safe approach. If you don't know the encoding of the characters, you can't possibly know that they are safe to output since they aren't valid in your current encoding. Trying to clean up a string full of invalid characters is dangerous. The only safe approach is to not allow them.

As for not being allowed to change your php.ini, that's fine, that's why the htmlspecialchars() call takes an optional encoding argument.
 [2013-05-07 20:18 UTC] new dot false dot email at gmail dot com 
try this, it worked for me:

htmlspecialchars('Test123 äöüß', ENT_QUOTES | ENT_HTML401, '');
this is the important part --------------------------------^
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 07:01:32 2024 UTC