ID: 27914 Updated by: [EMAIL PROTECTED] Reported By: slunta at msn dot com -Status: Feedback +Status: Bogus Bug Type: Unknown/Other Function Operating System: Irrelevant PHP Version: Irrelevant New Comment:
And there is no such PHP version as "Irrelevant".. Previous Comments: ------------------------------------------------------------------------ [2004-04-08 06:34:12] [EMAIL PROTECTED] Not enough information was provided for us to be able to handle this bug. Please re-read the instructions at http://bugs.php.net/how-to-report.php If you can provide more information, feel free to add it to this bug and change the status back to "Open". Thank you for your interest in PHP. ------------------------------------------------------------------------ [2004-04-07 18:26:23] slunta at msn dot com Description: ------------ There is an htmlentities glitch. If you have a message in a textarea box, and you use </textarea>, it allows html after that to be parsed on a message preview screen if there is one. Reproduce code: --------------- $input=htmlentities($input); Expected result: ---------------- I can't really give you a code without giving out my entire message screen, let's just say that with this textarea box I'm typing in right now, if I decide to type in </textarea>, and then something like <marquee>glitch</marquee>, the <marquee> would be parsed at the bottom of the screen. My expected result is to not have this happen. Actual result: -------------- Of course, the actual result is allowing html after the </textarea> to be parsed. If someone used </textarea> <!#cmd.execute="[database query]"> Then it would allow a db query to execute on servers if asp is mixed with php code. This is a dangerous problem, and needs a fix. All I'm saying is that htmlentities() needs to be allowed to block </textarea> for things like message previews. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=27914&edit=1
