PHP :: Bug #62013 :: Htmlentities doesn't convert the characters (,),: to a named entity

Bug #62013	Htmlentities doesn't convert the characters (,),: to a named entity
Submitted:	2012-05-13 01:01 UTC	Modified:	2012-05-13 01:53 UTC
From:	c dot noesterer at gmail dot com	Assigned:
Status:	Not a bug	Package:	Filter related
PHP Version:	5.4.3	OS:	Linux 3.3.4-1-ARCH
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2012-05-13 01:01 UTC] c dot noesterer at gmail dot com

Description:
------------
Htmlentities doesn't convert the characters (,),: to a named entity.

Therefore a XSS-attack works for the script attached:
?test=javascript:alert(1);

Test script:
---------------
<!DOCTYPE html>
<html>
<head>
<title>Test</title>
</head>
<body>
<?php
echo '<a href='.htmlentities($_GET["test"]).'>test</a>';
?>
</body>
</html>


Expected result:
----------------
<a href=javascript&colon;alert&lpar;1&rpar;>test</a>

Actual result:
--------------
<a href=javascript:alert(1);>test</a>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-05-13 01:53 UTC] rasmus@php.net

-Status: Open +Status: Not a bug

[2012-05-13 01:53 UTC] rasmus@php.net

You are using the wrong function. htmlentities() for encoding entities special to 
HTML. Inside an href tag you don't have HTML, you have a URL so you need to use 
urlencode().

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 12:01:31 2024 UTC