php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62013 Htmlentities doesn't convert the characters (,),: to a named entity
Submitted: 2012-05-13 01:01 UTC Modified: 2012-05-13 01:53 UTC
From: c dot noesterer at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.3 OS: Linux 3.3.4-1-ARCH
Private report: No CVE-ID: None
 [2012-05-13 01:01 UTC] c dot noesterer at gmail dot com
Description:
------------
Htmlentities doesn't convert the characters (,),: to a named entity.

Therefore a XSS-attack works for the script attached:
?test=javascript:alert(1);

Test script:
---------------
<!DOCTYPE html>
<html>
<head>
<title>Test</title>
</head>
<body>
<?php
echo '<a href='.htmlentities($_GET["test"]).'>test</a>';
?>
</body>
</html>


Expected result:
----------------
<a href=javascript&colon;alert&lpar;1&rpar;>test</a>

Actual result:
--------------
<a href=javascript:alert(1);>test</a>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-13 01:53 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2012-05-13 01:53 UTC] rasmus@php.net
You are using the wrong function. htmlentities() for encoding entities special to 
HTML. Inside an href tag you don't have HTML, you have a URL so you need to use 
urlencode().
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC