(Wietse Venema) wrote:
To give an idea of the functionality, consider the following program with an obvious HTML injection bug:<?php $username = $_GET['username']; echo "Welcome back, $username\n"; ?> With default .ini settings, this program does exactly what the programmer wrote: it echos the contents of the username request attribute, including all the malicious HTML code that an attacker may have supplied along with it. When I change one .ini setting: taint_error_level = E_WARNING the program produces the same output, but it also produces a warning: Warning: echo(): Argument contains data that is not converted with htmlspecialchars() or htmlentities() in /path/to/script on line 3
A PHP application doesn't always generate HTML : it can generate JSON, CSV, PDF etc.. In this case, we don't have to call htmlspecialchars etc..
Is this warning appearing also when you want to output datas other than HTML ? If no, how your code guess the output type ? If yes, how can we disable this warning in pages which produce JSON etc. ?
Laurent --- http://jelix.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
