laurent jouanneau:
> (Wietse Venema) wrote:
> > To give an idea of the functionality, consider the following program
> > with an obvious HTML injection bug:
> >
> > <?php
> > $username = $_GET['username'];
> > echo "Welcome back, $username\n";
> > ?>
> >
> > With default .ini settings, this program does exactly what the
> > programmer wrote: it echos the contents of the username request
> > attribute, including all the malicious HTML code that an attacker
> > may have supplied along with it.
> >
> > When I change one .ini setting:
> >
> > taint_error_level = E_WARNING
> >
> > the program produces the same output, but it also produces a warning:
> >
> > Warning: echo(): Argument contains data that is not converted
> > with htmlspecialchars() or htmlentities() in /path/to/script
> > on line 3
>
> A PHP application doesn't always generate HTML : it can generate JSON,
> CSV, PDF etc.. In this case, we don't have to call htmlspecialchars etc..
In that case, I suppose you would not be using echo, so there
is no problem.
Wietse
> Is this warning appearing also when you want to output datas other than
> HTML ? If no, how your code guess the output type ? If yes, how can we
> disable this warning in pages which produce JSON etc. ?
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
