ID: 27914 Updated by: [EMAIL PROTECTED] Reported By: slunta at msn dot com -Status: Open +Status: Feedback Bug Type: Unknown/Other Function Operating System: Irrelevant PHP Version: Irrelevant New Comment:
Not enough information was provided for us to be able to handle this bug. Please re-read the instructions at http://bugs.php.net/how-to-report.php If you can provide more information, feel free to add it to this bug and change the status back to "Open". Thank you for your interest in PHP. Previous Comments: ------------------------------------------------------------------------ [2004-04-07 18:26:23] slunta at msn dot com Description: ------------ There is an htmlentities glitch. If you have a message in a textarea box, and you use </textarea>, it allows html after that to be parsed on a message preview screen if there is one. Reproduce code: --------------- $input=htmlentities($input); Expected result: ---------------- I can't really give you a code without giving out my entire message screen, let's just say that with this textarea box I'm typing in right now, if I decide to type in </textarea>, and then something like <marquee>glitch</marquee>, the <marquee> would be parsed at the bottom of the screen. My expected result is to not have this happen. Actual result: -------------- Of course, the actual result is allowing html after the </textarea> to be parsed. If someone used </textarea> <!#cmd.execute="[database query]"> Then it would allow a db query to execute on servers if asp is mixed with php code. This is a dangerous problem, and needs a fix. All I'm saying is that htmlentities() needs to be allowed to block </textarea> for things like message previews. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=27914&edit=1
