Bug #61354 [Com]: htmlentities and htmlspecialchars doesn't respect the default_charset

Thu, 03 Oct 2013 01:08:46 -0700 

Edit report at https://bugs.php.net/bug.php?id=61354&edit=1

 ID:                 61354
 Comment by:         support at playnext dot ru
 Reported by:        hufeng1987 at gmail dot com
 Summary:            htmlentities and htmlspecialchars doesn't respect
                     the default_charset
 Status:             Not a bug
 Type:               Bug
 Package:            Strings related
 Operating System:   Linux/Windows/
 PHP Version:        5.4.0
 Block user comment: N
 Private report:     N

 New Comment:

For those still looking for a solution around this headache - pls consider:
1. http://php.net/manual/en/function.override-function.php
2. http://php.net/manual/ru/function.runkit-function-redefine.php

The idea - you override the built-in htmlspecialchars() function with your 
customized variant which is able to respect non UTF-8 default encoding. This 
small piece of code can be then easily inserted somewhere at the start of yout 
project. No need to rewrite all htmlspecialchars() entries globally.

I've spent several hours with both approaches. Variant 1 looks good especaially 
in combination with http://www.php.net/manual/en/function.rename-function.php 
as it allows to call original htmlspecialchars() with just altered default 
args. The code could be as follows:

rename_function('htmlspecialchars', 'renamed_htmlspecialchars');
function overriden_htmlspecialchars($string, $flags=NULL, $encoding='cp1251', 
$double_encode=true) {
        $flags = $flags ? $flags : (ENT_COMPAT|ENT_HTML401);
        return renamed_htmlspecialchars($string, $flags, $encoding, 
$double_encode);
}
override_function('htmlspecialchars', '$string, $flags, $encoding, 
$double_encode', 'return overriden_htmlspecialchars($string, $flags, $encoding, 
$double_encode);');
?>

Unfortunatelly this didn't work for me properly - my site managed to call 
overriden function but not every time I reloaded the pages. Moreover other PHP 
sites crashed under my Apache server as they suddenly started blaming 
htmlspecialchars() was not defined. I suppose I had to spend more time to make 
it work thread/request/site/whatever-safe.

So I switched to runkit (variant 2). It worked for me, although even after 
trying runkit_function_rename()+runkit_function_add() I didn't managed to 
recall original htmlspecialchars() function. So as a quick solution I decided 
to call htmlentities() instead:

<?php
function overriden_htmlspecialchars($string, $flags=NULL, $encoding='UTF-8', 
$double_encode=true) {
    $flags = $flags ? $flags : (ENT_COMPAT|ENT_HTML401);
    $encoding = $encoding ? $encoding : 'cp1251';
    //return renamed_htmlspecialchars($string, $flags, $encoding, 
$double_encode);
    return htmlentities($string, $flags, $encoding, $double_encode);
}
runkit_function_redefine('htmlspecialchars', '$string, $flags, $encoding, 
$double_encode', 'return overriden_htmlspecialchars($string, $flags, $encoding, 
$double_encode);'); 
?>

You may be able to implement your more powerfull overriden function.
Sorry, if this topic is not bug-related. I support all the reports here - a 
small update to the default behaviour ruined our days...
Thank you.


Previous Comments:
------------------------------------------------------------------------
[2013-09-17 08:48:26] b83 at yandex dot ru

Moreover it will be impossible to upgrade to newer OS versions and use PHP 
versions from distro. Which is even more a security issue.

http://askubuntu.com/questions/306487/install-php-5-3-on-ubuntu-13-04

------------------------------------------------------------------------
[2013-07-25 19:18:45] [email protected]

Related To: Bug #63426

------------------------------------------------------------------------
[2013-07-20 12:49:28] stemind at gmail dot com

Zend should be convinced. The Zend htmlspecialchars Initiative 
http://ufive.ch/tzhi/

------------------------------------------------------------------------
[2013-07-12 13:15:06] kstirn at gmail dot com

Instead of moving on to PHP 5.4 and PHP 5.5 thousands of servers will stay with 
legacy PHP 5.3 due to this single, easy to solve (ini setting) issue that the 
PHP team has decided to ignore.

------------------------------------------------------------------------
[2013-07-12 10:57:40] tototation at gmail dot com

Yes, i'm interested too to understand that fact.
I recently upgrade my server, and ALL my code is unusable !
A search in code found +470 000 words htmlentities or htmlspecialchars !!!!!
HOW TO CHANGE ALL THIS ????? THAT'S IMPOSSIBLE !!!!!!!!

Thanks, we must stop all our services and websites.
Just for a stupid thing.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=61354


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61354&edit=1

Reply via email to