(Wietse Venema) wrote:
To give an idea of the functionality, consider the following program
with an obvious HTML injection bug:
<?php
$username = $_GET['username'];
echo "Welcome back, $username\n";
?>
With default .ini settings, this program does exactly what the
programmer wrote: it echos the contents of the username request
attribute, including all the malicious HTML code that an attacker
may have supplied along with it.
When I change one .ini setting:
taint_error_level = E_WARNING
the program produces the same output, but it also produces a warning:
Warning: echo(): Argument contains data that is not converted
with htmlspecialchars() or htmlentities() in /path/to/script
on line 3
A PHP application doesn't always generate HTML : it can generate JSON,
CSV, PDF etc.. In this case, we don't have to call htmlspecialchars etc..
Is this warning appearing also when you want to output datas other than
HTML ? If no, how your code guess the output type ? If yes, how can we
disable this warning in pages which produce JSON etc. ?
Laurent
---
http://jelix.org
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php