ID: 42176
Updated by: [EMAIL PROTECTED]
Reported By: judas dot iscariote at gmail dot com
-Status: Open
+Status: Closed
Bug Type: Documentation problem
Operating System: irrelevant
PHP Version: Irrelevant
New Comment:
In my opinion - don't ever promote insecure code in the documentation.
If you have another opinion, bring the discussion to the mailing list or
phpdoc/rfc. If you know about any other holes, please report or fix
them. Symptoms of this bug are fixed now so it can be closed IMHO.
Previous Comments:
------------------------------------------------------------------------
[2007-08-16 12:10:20] [EMAIL PROTECTED]
Still open, this is a general question/consideration that affects the
entire manual.
------------------------------------------------------------------------
[2007-08-16 09:57:16] [EMAIL PROTECTED]
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.
Thank you for the report, and for helping us make our documentation
better.
<?php
if ($_POST) {
echo '<pre>';
echo htmlspecialchars(print_r($_POST, true));
echo '</pre>';
}
?>
<form action="" method="post">
Name: <input type="text" name="personal[name]" /><br />
Email: <input type="text" name="personal[email]" /><br />
Beer: <br />
<select multiple name="beer[]">
<option value="warthog">Warthog</option>
<option value="guinness">Guinness</option>
<option value="stuttgarter">Stuttgarter
Schwabenbr嵼/option>
</select><br />
<input type="submit" value="submit me!" />
</form>
------------------------------------------------------------------------
[2007-08-02 13:51:25] [EMAIL PROTECTED]
This is a tough question because this type of example is everywhere and
escaping every variable throughout the entire manual gets messy. And do
we know of a method that will work with 100% of all cases? Do we use
filter, htmlspecialchars, or a custom way? No simple answer (that I know
of).
I believe this was briefly discussed once and we decided to simply
leave it, but, it's worth officially discussing and in need of a
creative solution because this is a real problem.
Regardless, the security section (and tutorial) must both contain
sections that talk about this topic so we may refer to them elsewhere.
For example, the following is outdated:
http://php.net/manual/en/security.variables
------------------------------------------------------------------------
[2007-08-02 11:36:44] judas dot iscariote at gmail dot com
Description:
------------
the "Example 12.11. More complex form variables"
in
http://php.net/manual/en/language.variables.external.php
contains a security hole.
Reproduce code:
---------------
says:
echo '<a href="'. $_SERVER['PHP_SELF'] .'">Please try again</a>';
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
as well print_r($_POST)...
Expected result:
----------------
manual teaching good practices always, PHP_SELF escaped as well $_POST
not printed without escaping
Actual result:
--------------
a how to permit XSS in your code.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42176&edit=1
