php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62683 FILTER_SANITIZE_SPECIAL_CHARS does not work as declared
Submitted: 2012-07-28 12:22 UTC Modified: 2014-01-13 01:39 UTC
Votes:5
Avg. Score:4.6 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:4 (100.0%)
From: admin dot windows at gmail dot com Assigned: requinix (profile)
Status: Closed Package: Filter related
PHP Version: 5.3.15 OS: Windows/Linux
Private report: No CVE-ID: None
 [2012-07-28 12:22 UTC] admin dot windows at gmail dot com
Description:
------------
FILTER_SANITIZE_SPECIAL_CHARS and FILTER_SANITIZE_FULL_SPECIAL_CHARS does not work 
as documented and produced results does not match htmlspecialchars results at all.



Test script:
---------------
$string = "<a href=\"#\">O'Reilly - PHP Tips & Tricks</a>";

//string '<a href="#">O'Reilly - PHP Tips & Tricks</a>' (length=44)
var_dump($string);


//string '&lt;a href=&quot;#&quot;&gt;O&#039;Reilly - PHP Tips &amp; Tricks&lt;/a&gt;' (length=75)
var_dump(htmlspecialchars($string, ENT_QUOTES));

//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; Tricks&#60;/a&#62;' (length=76)
var_dump(filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS));

//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; Tricks&#60;/a&#62;' (length=76)
var_dump(filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS));

Expected result:
----------------
//string '&lt;a href=&quot;#&quot;&gt;O&#039;Reilly - PHP Tips &amp; 
Tricks&lt;/a&gt;' (length=75)

Actual result:
--------------
//string '&#60;a href=&#34;#&#34;&#62;O&#39;Reilly - PHP Tips &#38; 
Tricks&#60;/a&#62;' (length=76)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-13 00:51 UTC] shensiapoost at yahoo dot com
According to http://www.php.net/manual/en/filter.filters.sanitize.php, only FILTER_SANITIZE_FULL_SPECIAL_CHARS is equal to htmlspecialchars(). Therefore, FILTER_SANITIZE_SPECIAL_CHARS is acting like it should.

The reason you are seeing FILTER_SANITIZE_FULL_SPECIAL_CHARS not produce the right results is because of https://bugs.php.net/bug.php?id=65282. Because of this bug, if you used the FILTER_SANITIZE_FULL_SPECIAL_CHARS constant, you were essentially calling FILTER_SANITIZE_SPECIAL_CHARS. Thus, why the two produce the same result.
 [2014-01-13 01:39 UTC] requinix@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: requinix
 [2014-01-13 01:39 UTC] requinix@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC