#49814 [Opn->Csd]: htmlentities/htmlspecialchars accept partial multibyte sequences still

Tue, 13 Oct 2009 08:13:51 -0700 

 ID:               49814
 User updated by:  hello at iwamot dot com
 Reported By:      hello at iwamot dot com
-Status:           Open
+Status:           Closed
 Bug Type:         Strings related
 Operating System: *
 PHP Version:      5.3.2-dev
 New Comment:

I received a message from Moriyoshi. According to him,
htmlentities/htmlspecialchars must accept [\x80 - \x8d], because they
are not a lead byte. Then application developers may use those as some
sort of control codes.

I agree with him, and close this report. Thank you all for your
kindness.


Previous Comments:
------------------------------------------------------------------------

[2009-10-11 07:16:27] hello at iwamot dot com

First of all, thank you for your fixing bug #49785. But it seems to me
that htmlentities/htmlspecialchars must not accept [\x80 - \x8d] when
EUC-JP is specified. If I'm right, I hope they will be fixed. Or close
this report please. Thanks.

------------------------------------------------------------------------

[2009-10-09 16:46:23] hello at iwamot dot com

Yes it is. Many thanks for your time and help!

------------------------------------------------------------------------

[2009-10-09 11:50:13] mcdmaster at auone dot jp

Sorry but this issue is the same as bug #49785, isn't it?

------------------------------------------------------------------------

[2009-10-08 14:15:55] hello at iwamot dot com

Description:
------------
PHP 5 ChangelLog says "Fixed htmlentities/htmlspecialchars not to
accept partial multibyte sequences."
http://www.php.net/ChangeLog-5.php#5.2.5

But it has not been fixed in reality. Please correct the log, or
investigate my patch.
http://iwamot.com/misc/html.c.patch.20091008

Reproduce code:
---------------
// Shift_JIS
echo htmlspecialchars("\x80",  ENT_QUOTES, 'Shift_JIS') . "!\n";
echo htmlspecialchars("\x81/", ENT_QUOTES, 'Shift_JIS') . "!\n";
// EUC-JP
echo htmlspecialchars("\x80",  ENT_QUOTES, 'EUC-JP')    . "!\n";
echo htmlspecialchars("\xA1/", ENT_QUOTES, 'EUC-JP')    . "!\n";

Expected result:
----------------
returning empty string (as well as my patch):

!
!
!
!

or sanitizing:

!
/!
!
/!

Actual result:
--------------
_!
_/!
_!
_/!

("_" means an invalid byte)


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49814&edit=1

Reply via email to