There is, unfortunately, no reliable way to determine whether HTML is escaped or not that does not come with this caveat that I know of. In consequence, the script-tags are untouched, and you've just opened yourself to XSS. Since '&' decodes into '&', (htmlspecialchars_decode($var) = $var) will be -false-, thus returning $var without that it's escaped. $var = ( htmlspecialchars_decode ( $var ) = $var ) ? htmlspecialchars ( $var ) : $var
Well, consider someone sending '&alert('XSS') ' to your PHP script:
Keep in mind that you should never trust user input - particularly for "mixed-bag" input containing a combination of plain text and markup or scripting code. To make sure your htmlspecialchars_decode fake for PHP4 works, you should do something like this:
This comment now is not to report this bug again (though I really believe it is one), but to complete the example and warn people of this pitfall. This was already reported in a bug report ( ), but it was marked as BOGUS. "get_html_translation_table() will return the translation table that is used internally for htmlspecialchars() and htmlentities()."īut it does NOT! At least not for PHP version 4.4.2. The example for "htmlspecialchars_decode()" below sadly does not work for all PHP4 versions.
Php json decode ignores html special chars archive#
Getting Started Introduction A simple tutorial Language Reference Basic syntax Types Variables Constants Expressions Operators Control Structures Functions Classes and Objects Namespaces Enumerations Errors Exceptions Fibers Generators Attributes References Explained Predefined Variables Predefined Exceptions Predefined Interfaces and Classes Predefined Attributes Context options and parameters Supported Protocols and Wrappers Security Introduction General considerations Installed as CGI binary Installed as an Apache module Session Security Filesystem Security Database Security Error Reporting User Submitted Data Hiding PHP Keeping Current Features HTTP authentication with PHP Cookies Sessions Dealing with XForms Handling file uploads Using remote files Connection handling Persistent Database Connections Command line usage Garbage Collection DTrace Dynamic Tracing Function Reference Affecting PHP's Behaviour Audio Formats Manipulation Authentication Services Command Line Specific Extensions Compression and Archive Extensions Cryptography Extensions Database Extensions Date and Time Related Extensions File System Related Extensions Human Language and Character Encoding Support Image Processing and Generation Mail Related Extensions Mathematical Extensions Non-Text MIME Output Process Control Extensions Other Basic Extensions Other Services Search Engine Extensions Server Specific Extensions Session Extensions Text Processing Variable and Type Related Extensions Web Services Windows Only Extensions XML Manipulation GUI Extensions Keyboard Shortcuts ? This help j Next menu item k Previous menu item g p Previous man page g n Next man page G Scroll to bottom g g Scroll to top g h Goto homepage g s Goto search
0 kommentar(er)
