Edit report at https://bugs.php.net/bug.php?id=36795&edit=1
ID: 36795
Comment by: hanskrentel at yahoo dot de
Reported by: john at carney dot id dot au
Summary: Inappropriate "unterminated entity reference" in
DOMElement->setAttribute
Status: Not a bug
Type: Bug
Package: DOM XML related
Operating System: *
PHP Version: 5.*, 6
Block user comment: N
Private report: N
New Comment:
This is bogus because & as character is needed in the attribute values to start
an
entity to express character references. Otherwise it would not be possible to
set
the superset of all XML attribute values (AttValue;
http://www.w3.org/TR/xml/#NT-
AttValue), the expression wouldn't be distinct.
Like you need to write "\t" in a PHP string to express a tab and therefore "\\"
to
express the slash. I hope this clarifies this a bit.
Previous Comments:
------------------------------------------------------------------------
[2011-10-08 18:33:10] matteosistisette at gmail dot com
I'm still observing this issue (by the way, why is it marked as "bogus"?).
Even the simplexml property accessors does give me the warning, such as:
$a['b'] = "& < '"; // GENERATES THE WARNING!!!!!!!!
------------------------------------------------------------------------
[2011-09-11 01:40:13] abxccd at msn dot com
I am still seeing this bug in PHP 5.3.8
------------------------------------------------------------------------
[2011-02-23 03:30:34] jan-bugreport at gmx dot de
With simpleXML, addChild($name, $value) works really weird (tested on 5.3.1 on
win): in the value, the characters < and > are correctly esacped to < and
> but ampersands cause the "unterminated entity reference" message. I would
understand if it escaped nothing, or if it escaped everything, but this seems
weird.
Also, no matter what the final decision about this bug will be, this should be
documented really well in the SimpleXML docs. It is confusing and I could
imagine it could cause security issues in some applications.
------------------------------------------------------------------------
[2010-09-22 01:02:27] steven at navolutions dot com
I also had this issue, one thing that might not have been included in the
original reproducing of the code is that the DOMElement may have been extended.
I know mine is extended so Reproduce the code by extending the DOMElement
class. I also extended the DOMDocuement class so try that too. So no the status
is not Bogus, just to tested thoroughly.
------------------------------------------------------------------------
[2010-04-09 14:01:23] rricha...@php.net
Behavior as defined by DOM specs. No warnings are issued are from either of the
2
examples in the reproduced code.
addChild() method described in later reports works are defined by specs. Use
the
simplexml property accessors for auto escaping.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=36795
--
Edit this bug report at https://bugs.php.net/bug.php?id=36795&edit=1
