|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62013 Htmlentities doesn't convert the characters (,),: to a named entity
Submitted: 2012-05-13 01:01 UTC Modified: 2012-05-13 01:53 UTC
From: c dot noesterer at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.3 OS: Linux 3.3.4-1-ARCH
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
9 + 32 = ?
Subscribe to this entry?

 [2012-05-13 01:01 UTC] c dot noesterer at gmail dot com
Htmlentities doesn't convert the characters (,),: to a named entity.

Therefore a XSS-attack works for the script attached:

Test script:
<!DOCTYPE html>
echo '<a href='.htmlentities($_GET["test"]).'>test</a>';

Expected result:
<a href=javascript&colon;alert&lpar;1&rpar;>test</a>

Actual result:
<a href=javascript:alert(1);>test</a>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-13 01:53 UTC]
-Status: Open +Status: Not a bug
 [2012-05-13 01:53 UTC]
You are using the wrong function. htmlentities() for encoding entities special to 
HTML. Inside an href tag you don't have HTML, you have a URL so you need to use 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Apr 12 21:01:30 2024 UTC