ID: 49785 Updated by: moriyo...@php.net Reported By: hello at iwamot dot com -Status: Assigned +Status: Closed Bug Type: Strings related Operating System: * PHP Version: 5.3.0 Assigned To: moriyoshi New Comment:
This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2009-10-09 10:02:39] s...@php.net Automatic comment from SVN on behalf of moriyoshi Revision: http://svn.php.net/viewvc/?view=revision&revision=289411 Log: - Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). ------------------------------------------------------------------------ [2009-10-09 06:20:33] mcdmaster at auone dot jp I agree with Iwamot. Jani seems that he's reluctant for all the CJK-related issues, though this issue specifically makes not only CJK users but also all the UTF-8 people suffer security damages e.g. XSS exploits with invalid character code(s) injected. It's obvious for Jani to do mix-up between this issue and the bug #43896, which is supposed as duplicated as he insists. I'm sure that he should recognize that each of those issues is entirely apart, even though its fundamental cause were the same. The patch that Iwamot has provided should be reviewed ASAP and made official. Thank you Iwamot! ------------------------------------------------------------------------ [2009-10-09 05:46:09] moriyo...@php.net This is a valid bug IMO. ------------------------------------------------------------------------ [2009-10-06 19:51:56] hello at iwamot dot com If #43896, Jani's comment doesn't make sense. I suppose that you developers can change htmlspecialchars() to be more STRICT. ------------------------------------------------------------------------ [2009-10-06 12:38:05] hello at iwamot dot com Could you tell me the report number? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/49785 -- Edit this bug report at http://bugs.php.net/?id=49785&edit=1