php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #57059 Sanitize string : encode amp
Submitted: 2006-06-02 09:33 UTC Modified: 2006-11-09 20:16 UTC
From: c dot lecocq at pixandlog dot com Assigned:
Status: Not a bug Package: filter (PECL)
PHP Version: Irrelevant OS: Gentoo Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2006-06-02 09:33 UTC] c dot lecocq at pixandlog dot com 
Description:
------------
When used with FILTER_FLAG_ENCODE_AMP flag, the SANITIZE_STRING filter re-encode '&' who came from current encoding.
(ex: ' -> ' -> ')

Reproduce code:
---------------
<?php
$variable = "abc&def'ghi";
var_dump(filter_data($variable, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_AMP));
?>


Expected result:
----------------
string(23) "abc&#38;def&#39;ghi"

Actual result:
--------------
string(23) "abc&#38;def&#38;#39;ghi"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-02 10:45 UTC] c dot lecocq at pixandlog dot com 
Description:
------------
FILTER_UNSAFE_RAW dont seem to have the same bug...

Reproduce code:
---------------
<?php
$variable = "abc&d?fghi";
var_dump(filter_data($variable, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP));
var_dump(filter_data($variable, FILTER_UNSAFE_RAW, FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP));
?>

Expected result:
----------------
string(19) "abc&#38;d&#233;fghi"
string(19) "abc&#38;d&#233;fghi"

Actual result:
--------------
string(23) "abc&#38;d&#38;#233;fghi"
string(19) "abc&#38;d&#233;fghi"
 [2006-11-09 20:16 UTC] ilia at prohost dot org 
Thank you for taking the time to write to us, but this is not
a bug.

Sanitize string causes php to encode ' into html entity. Then 
you apply the encode amp flag, which converts all & including 
that part of the ' entity into html entities, subsequently 
causing double encoding.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 19:01:28 2024 UTC