Edit report at https://bugs.php.net/bug.php?id=47494&edit=1
ID: 47494
Comment by: lzsiga at freemail dot c3 dot hu
Reported by: philipp dot feigl at gmail dot com
Summary: htmlspecialchars does not throw E_WARNING on
multibyte problems
Status: Not a bug
Type: Feature/Change Request
Package: Strings related
Operating System: CentOS5
PHP Version: 5.2.8
Block user comment: N
Private report: N
New Comment:
It is all moot point now: there was an incompatible change in 5.4, so everyone
who want to develop portable code has to explicitly specify
encoding='ISO-8859-1' (Even if they are using ISO-8859-2. Or windows-1250. Or
CP852. Or UTF-8. Or it is not yet known at programming time. (Why, yes, there
are programmers who develop routines/libraries that will be used by others.))
Previous Comments:
------------------------------------------------------------------------
[2012-10-19 06:46:07] [email protected]
user at dudmail dot com you seem confused. A properly configured server doesn't
have display_errors on in production so I don't see how it is leaking in that
case.
And as was pointed out, this code has been revamped in 5.4 to give you a number
of options of what to do with invalid chars which means there is no need for
the
warning anymore.
------------------------------------------------------------------------
[2012-10-19 06:11:33] user at dudmail dot com
Not showing with display_errors = 1 to avoid leaks on badly configured servers,
while showing and thus leaking sensitive information with properly configured
servers? This is lame.
------------------------------------------------------------------------
[2012-09-13 18:53:41] lzsiga at freemail dot c3 dot hu
It would be a valid reason, if there were any plan to support utf16/32, as
iso-8859-x and utf-8 are ASCII-compatible. But even then, the default value for
the $encoding parameter still could be 'ascii(or compatible)'.
Or, like some other string operations, there could be a mb_htmlspecialchars
function.
------------------------------------------------------------------------
[2012-09-13 17:25:08] [email protected]
By simple I assume you mean an htmlspecialchars() function that doesn't check
the
validity of the characters. The problem is that we have to do that. We can't
encode characters without understanding which charset we are dealing with and
we
need to make sure that the character we are looking at is a valid one. The
world
has moved beyond 7-bit ASCII, sorry.
------------------------------------------------------------------------
[2012-09-13 17:07:47] lzsiga at freemail dot c3 dot hu
If the name of the function were
'check_for_multibyte_validity_and_htmlspecialchars' then you'd be right, but
even then I'd lobby for a simple 'htmlspecialchars' function... Doing something
(ie multibyte validity check) that the user (the PHP-programmer in this case)
didn't specifically ask doesn't seem to me to be a good idea (see magic_quotes
for another example).
PS: Of course I wouldn't complaining (or even know about the whole question) if
the default value hadn't been changed to 'UTF-8' in 5.4.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=47494
--
Edit this bug report at https://bugs.php.net/bug.php?id=47494&edit=1
