Bug #16374 Updated: Automatic Session ID replacement adds at a wrong place session ID in Javascript

Tue, 02 Apr 2002 06:22:14 -0800 

 ID:               16374
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Open
+Status:           Duplicate
 Bug Type:         Session related
 Operating System: Linux
 PHP Version:      4.1.2
 New Comment:

It seems this is a duplicate of #14080


Previous Comments:
------------------------------------------------------------------------

[2002-04-01 10:47:09] [EMAIL PROTECTED]

Hello,

This is what I coded in a PHP page:

         echo "      <Script
language=\"Javascript\">getDivTag(\"id=\\\"backID\\\"
class=\\\"galbb\\\"\",\n";
         echo "         \"<a
href=\\\"Javascript:load('../index.html');\\\">\\\n";
         echo "            <img src=\\\"../back.gif\\\" alt=\\\"Leave
picture gallery\\\">\\\n";
         echo "         </a>\");</script>";

This is what the browser got: 

      <Script language="Javascript">getDivTag("id=\"backID\"
class=\"galbb\"",
         "<a
href="\?PHPSESSID=711e2d88c69e1320557bd47ae88d62a2""Javascript:load('../index.html');">\

            <img src=\"../back.gif\" alt=\"Leave picture gallery\">\
         </a>");</script>

instead of ...href=\"Javascript:load('../index.html')\"...

It seems, that PHP was thinking the \ is a incorrectly specified href
attribut value and therefore replaced it by \?PHPSESSID=... 

The same problem still exists if instead a call to a Javascript
function the direct uri is specified:
href=\"..\index.html\". 

I guess PHP doesn't do a context base analyse, but simply searches for
href=. This seems sensible to me, since it's the easiest way. 

I suggest to do a special case treatment, and look if \" follows a href
attribut. In that case the href may be within a Javascript string and
the replacement should be done using \" as delimiters.

I also suggest not to add " if the programmer forgot them. I suggest in
that case to write a warning during compilation (if that exists),
because it href= may be within a string in a Javascript statement.
Adding " would cause the string to terminate, which would unsettle the
javascript statement.

I can't garantuee I'm using the latest PHP version. I use a provider.
I'm going to install the latest PHP version on my localhost. Then I'll
update this bugreport. Until then, you could treat it as FYI.

Unfortunatelly I can't get an exact configuration of PHP from my
provider until next week, I got to call them.

I checked all bug reports 'session related'. Are there all bugs
reported since 4.0?

Go on like that, I really appreciate your work!!

Gr�goire Braun
Switzerland

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=16374&edit=1

Reply via email to