php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #57059 Sanitize string : encode amp
Submitted: 2006-06-02 09:33 UTC Modified: 2006-11-09 20:16 UTC
From: c dot lecocq at pixandlog dot com Assigned:
Status: Not a bug Package: filter (PECL)
PHP Version: Irrelevant OS: Gentoo Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: c dot lecocq at pixandlog dot com
New email:
PHP Version: OS:

 

 [2006-06-02 09:33 UTC] c dot lecocq at pixandlog dot com
Description:
------------
When used with FILTER_FLAG_ENCODE_AMP flag, the SANITIZE_STRING filter re-encode '&' who came from current encoding.
(ex: ' -> ' -> ')

Reproduce code:
---------------
<?php
$variable = "abc&def'ghi";
var_dump(filter_data($variable, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_AMP));
?>


Expected result:
----------------
string(23) "abc&#38;def&#39;ghi"

Actual result:
--------------
string(23) "abc&#38;def&#38;#39;ghi"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-06-02 10:45 UTC] c dot lecocq at pixandlog dot com
Description:
------------
FILTER_UNSAFE_RAW dont seem to have the same bug...

Reproduce code:
---------------
<?php
$variable = "abc&d?fghi";
var_dump(filter_data($variable, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP));
var_dump(filter_data($variable, FILTER_UNSAFE_RAW, FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP));
?>

Expected result:
----------------
string(19) "abc&#38;d&#233;fghi"
string(19) "abc&#38;d&#233;fghi"

Actual result:
--------------
string(23) "abc&#38;d&#38;#233;fghi"
string(19) "abc&#38;d&#233;fghi"
 [2006-11-09 20:16 UTC] ilia at prohost dot org
Thank you for taking the time to write to us, but this is not
a bug.

Sanitize string causes php to encode ' into html entity. Then 
you apply the encode amp flag, which converts all & including 
that part of the ' entity into html entities, subsequently 
causing double encoding.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Dec 04 22:03:36 2021 UTC