php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #68728 htmlentities() does not convert ' '/" to  /" with ENT_HTML5
Submitted: 2015-01-03 01:25 UTC Modified: 2021-09-15 09:26 UTC
From: yohgaki@php.net Assigned: cmb (profile)
Status: Not a bug Package: Strings related
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2015-01-03 01:25 UTC] yohgaki@php.net 
Description:
------------
' ' space is &nbsp and it's in conversion tables.

localhost:Documents yohgaki$ php -r 'print_r(get_html_translation_table(ENT_HTML5));'
Array
(
    ["] => "
    [&] => &
    [<] => &lt;
    [>] => &gt;
    [ ] => &nbsp;
    [¡] => &iexcl;

but ' '/" is not converted to &nbsp;/&quot; with htmlentities() at least.
" is converted to &quot; with additional ENT_QUOTES flag. However, htmlentities() should convert all chars according to the conversion table.


Test script:
---------------
php -r 'echo htmlentities("\" <>?&/", ENT_HTML5);'


Expected result:
----------------
&quot;&nbsp;&lt;&gt;&quest;&amp;&sol;

Actual result:
--------------
" &lt;&gt;&quest;&amp;&sol;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-10 20:47 UTC] ppaisndud at gmail dot com 
This line causes this,

https://github.com/php/php-src/blob/master/ext/standard/html.c#L1316-L1318

probably can be moved to verified if it is a error.
 [2015-02-11 01:46 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-02-11 01:46 UTC] yohgaki@php.net 
I've proposed this change once. I may try it again.
 [2018-02-28 22:21 UTC] cmb@php.net
-Package: Unknown/Other Function +Package: Strings related
 [2021-09-15 09:26 UTC] cmb@php.net
-Status: Assigned +Status: Not a bug -Assigned To: yohgaki +Assigned To: cmb
 [2021-09-15 09:26 UTC] cmb@php.net 
> However, htmlentities() should convert all chars according to
> the conversion table.

No.  Quotes and apostophes are handled according to ENT_COMPAT,
ENT_QUOTES and ENT_NOQUOTES, and ENT_HTML5 does not imply
ENT_QUOTES nor ENT_COMPAT, so ENT_NOQUOTES is effective.

This default might not be the best choice, but the behavior is not
a bug, and changing it would require the RFC process because of
the BC break.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 14:01:32 2024 UTC