|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67734 Add output escaping specifiers to sprintf etc.
Submitted: 2014-08-01 08:16 UTC Modified: -
From: marcus at synchromedia dot co dot uk Assigned:
Status: Open Package: Strings related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-08-01 08:16 UTC] marcus at synchromedia dot co dot uk
sprintf, vsprintf etc have numerous different specifiers for numbers, but only a single generic 'string' option for strings with %s. It would be useful to have additional options for escaping values, for example with URL encoding or HTML escaping. You might say that you can achieve this by applying escaping functions to the variables you pass in, which is correct, but in the interests of DRY, it's much tidier if the printing function can do this itself - and after all there is a clear precedent in the form of all the numeric options for which you could say the same.

It might be interesting to provide SQL escaping specifiers, since PDO doesn't provide a complete implementation for this, thoughit may be difficult to pass in a connection reference in a clean way.

Test script:
The current implementation looks like this:

echo sprintf('<a href="%s?linkname=%s">%s</a>', 'myscript.php', rawurlencode('> my link'), htmlentities('> my link', ENT_QUOTES));

Assuming the %h specifier applies URL-encoding, and the %H specifier applies HTML escaping:

echo sprintf('<a href="%1$s?linkname=%2$h">%2$H</a>', 'myscript.php', '> my link');


<a href="myscript.php?linkname=%3E%20my%20link">&gt; my link</a>


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Oct 20 00:01:24 2020 UTC