php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75163 filter_var with FILTER_SANITIZE_SPECIAL_CHARS is manipulating data
Submitted: 2017-09-06 11:07 UTC Modified: 2017-09-06 11:33 UTC
From: itsursujit at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.6.31 OS: Ubuntu
Private report: No CVE-ID: None
 [2017-09-06 11:07 UTC] itsursujit at gmail dot com
Description:
------------
I encountered this issue when I tried to sanitize urlencoded variables. Here are the steps with expected and actual results:
Step 1: assign string to variable with encoded characters
     
    $x="I've some comment";

Step 2: decode the variable using `urldecode()`

    $decoded=urldecode($x); //result: I've some comment;
    echo $decoded;
    EXPECTED RESULT:  I've some comment
    ACTUAL RESULT:  I've some comment

Step 3: filter above decoded data and echo the result

    echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
    EXPECTED RESULT:  I've some comment
    ACTUAL RESULT:  I've some comment

Step 4: filter above raw string and echo the result

    echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));
    EXPECTED RESULT:  I've some comment
    ACTUAL RESULT:  I've some comment

I think the Step 3 has some bug.

Test script:
---------------
<?php
$x="I&#39;ve some comment";

$decoded=urldecode($x); //result: I've some comment;
echo $decoded; //result: I've some comment;
echo "\n";
echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
echo "\n";
echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));

Expected result:
----------------
$x="I&#39;ve some comment";
$decoded=urldecode($x); //result: I've some comment;
echo $decoded;
EXPECTED RESULT:  I've some comment

echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
EXPECTED RESULT:  I've some comment

echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));
EXPECTED RESULT:  I've some comment

Actual result:
--------------
$x="I&#39;ve some comment";
$decoded=urldecode($x); //result: I've some comment;
echo $decoded;
ACTUAL RESULT:  I've some comment

echo trim(filter_var(stripslashes($decoded), FILTER_SANITIZE_SPECIAL_CHARS));
ACTUAL RESULT:  I&#39;ve some comment

echo trim(filter_var(stripslashes("I've some comment"), FILTER_SANITIZE_SPECIAL_CHARS));
ACTUAL RESULT:  I've some comment

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-06 11:33 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-09-06 11:33 UTC] requinix@php.net
&#39; is not a URL-encoded ("percent-encoded") apostrophe. It is an HTML entity.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC