Edit report at http://bugs.php.net/bug.php?id=47532&edit=1
ID: 47532
Comment by: nospaces at eatmorespuds dot com
Reported by: sgunderson at bigfoot dot com
Summary: DOMAttribute value getter and setter do not escape
equally
Status: Wont fix
Type: Bug
Package: DOM XML related
Operating System: Debian
PHP Version: 5.3CVS-2009-02-28 (snap)
New Comment:
Might be good to ensure this appears in the PHP documentation.
Previous Comments:
------------------------------------------------------------------------
[2010-02-14 13:31:22] [email protected]
Changing this would break some long standing BC. The problem is really
in setting the attribute value. The workaround for this is to use
something like htmlspecialchars when setting a DOMAttr->value using
another DOMAttr->value
------------------------------------------------------------------------
[2009-02-28 16:13:54] sgunderson at bigfoot dot com
Description:
------------
When you fetch the "value" field of a DOMAttribute, it seems to unescape
any HTML (or perhaps XML?) entities present. However, when you set it,
it does not get escaped. In other words, if you do "$attr->value =
$attr->value" (which really should be a no-op!) as in the example below,
you will get errors if it happened to contain &.
Verified with PHP 5.2.6 and 5.3.0 snap (2008-02-28).
Reproduce code:
---------------
<?php
$doc = new DOMDocument;
$doc->loadXML('<html><element /></html>');
$elem = $doc->documentElement->firstChild;
$attr = $doc->createAttribute("foo");
$attr->value = "foo&bar";
$attr->value = $attr->value;
$elem->appendChild($attr);
print $doc->saveXML();
?>
Expected result:
----------------
<?xml version="1.0"?>
<html><element foo="foo&bar"/></html>
Actual result:
--------------
Warning: main(): unterminated entity reference bar in
/home/sesse/test3.php on line 8
<?xml version="1.0"?>
<html><element foo="foo"/></html>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=47532&edit=1
