|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67887 the URL rewrite mechanism handles `<a href=\"javascript` in a surprising manner
Submitted: 2014-08-22 14:32 UTC Modified: -
Avg. Score:2.2 ± 1.3
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (66.7%)
From: ndermine at adequasys dot com Assigned:
Status: Open Package: Output Control
PHP Version: 5.5.16 OS: windows, mac os x, debian
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-08-22 14:32 UTC] ndermine at adequasys dot com
I use output_add_rewrite_var to add a URL parameter to relative links in my app.

When I have a link like this <a href="javascript:..."> it is left untouched which is great.

But I had a piece of javascript containing an anchor tag inside a javascript string :
"<a href=\"javascript..." (note the escaped double quote that is expected to remain escaped in the HTML page source)

That part was modified in a way that broke the javascript : the new param was introduced between the backslash and the double quote :

"<a href=\?key=value"javascript..."

I can of course write (and have rewritten) my javascript differently, but would it be possible to not insert the parameters in this case?

This seems very similar to Bug #19358 "URL Rewriter Blindly Replaces All Links" (closed because of lack of feedback) which was submitted in 2002.

Thank you for your work.

Test script:
output_add_rewrite_var('a', 'b');
<script type="text/javascript">
var link = "<a href=\"javascript:doSomething('with a parameter')\">link</a>";

Expected result:
<script type="text/javascript">
var link = "<a href=\"javascript:doSomething('with a parameter')\">link</a>";

Actual result:
<script type="text/javascript">
var link = "<a href=\?a=b"javascript:doSomething('with a parameter')\">link</a>";


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-11-04 14:19 UTC] datatablesstr-1 at yahoo dot gr
I face a similar problem since I upgraded from PHP 5.4.16 to PHP 5.4.29 (also Zend Server 6.0.1 to Zend Server 7.0.0), on various Windows OS (Win7 and Server 2003, 2008) and also to both IIS and Apache (various versions).

Unfortunately I can not supply any code as the application is copyrighted but I will provide you some information and the output results.

The concept is that the phpinfo() is called, parsed, minified and returned inside a JSON object. A part of the code is the following:

$phpinfo = trim(str_replace(array("\r","\n","\t"), "", ob_get_contents()));
$component->contents = $phpinfo;

Then the component is passing through a lot of functions etc leading to the output...

Starting from the "normal" or expected output, which is also the "correct" output, returned since many years and several PHP versions (now with the 5.4.16 for example):

... <td><a href=\"http:\/\/\/\"><img border=\"0\" ...

Instead from the above, I get with PHP5.4.29 the following (exactly with the blank spaces etc):

... <td><a href=\?ApplId=f29bp4f03fmo1juomiaup7m851" http :  \  /  \  / \  /  \ "><img border=\"0\" ...

I found out that the responsible configuration can be found in php.ini, which is the same in both old and new setups (PHP5.4.16 vs PHP5.4.29)


when I replace/deactivate the url_rewriter with the following:


I get the correct result, as it used to be output in PHP 5.4.16.

I hope my comment provides some helpful extra information.

Best Regards,
 [2020-07-01 17:46 UTC] php at yopmail dot com
Always the problème in 2020 !!!

If js code in HTML like that :

some text
var m = $("<a href=\"\/my\/url\">label</a>") ;

it is transformed in :

some text
var m = $("<a href=\?a=b"\/my\/url\">label</a>") ;
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 22:01:29 2024 UTC