ID: 42176
Updated by: [EMAIL PROTECTED]
Reported By: judas dot iscariote at gmail dot com
-Status: Closed
+Status: Open
Bug Type: Documentation problem
Operating System: irrelevant
PHP Version: Irrelevant
New Comment:
Still open, this is a general question/consideration that affects the
entire manual.
Previous Comments:
------------------------------------------------------------------------
[2007-08-16 09:57:16] [EMAIL PROTECTED]
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.
Thank you for the report, and for helping us make our documentation
better.
<?php
if ($_POST) {
echo '<pre>';
echo htmlspecialchars(print_r($_POST, true));
echo '</pre>';
}
?>
<form action="" method="post">
Name: <input type="text" name="personal[name]" /><br />
Email: <input type="text" name="personal[email]" /><br />
Beer: <br />
<select multiple name="beer[]">
<option value="warthog">Warthog</option>
<option value="guinness">Guinness</option>
<option value="stuttgarter">Stuttgarter
Schwabenbr嵼/option>
</select><br />
<input type="submit" value="submit me!" />
</form>
------------------------------------------------------------------------
[2007-08-02 13:51:25] [EMAIL PROTECTED]
This is a tough question because this type of example is everywhere and
escaping every variable throughout the entire manual gets messy. And do
we know of a method that will work with 100% of all cases? Do we use
filter, htmlspecialchars, or a custom way? No simple answer (that I know
of).
I believe this was briefly discussed once and we decided to simply
leave it, but, it's worth officially discussing and in need of a
creative solution because this is a real problem.
Regardless, the security section (and tutorial) must both contain
sections that talk about this topic so we may refer to them elsewhere.
For example, the following is outdated:
http://php.net/manual/en/security.variables
------------------------------------------------------------------------
[2007-08-02 11:36:44] judas dot iscariote at gmail dot com
Description:
------------
the "Example 12.11. More complex form variables"
in
http://php.net/manual/en/language.variables.external.php
contains a security hole.
Reproduce code:
---------------
says:
echo '<a href="'. $_SERVER['PHP_SELF'] .'">Please try again</a>';
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
as well print_r($_POST)...
Expected result:
----------------
manual teaching good practices always, PHP_SELF escaped as well $_POST
not printed without escaping
Actual result:
--------------
a how to permit XSS in your code.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42176&edit=1
