Edit report at http://bugs.php.net/bug.php?id=36795&edit=1
ID: 36795
Comment by: jan-bugreport at gmx dot de
Reported by: john at carney dot id dot au
Summary: Inappropriate "unterminated entity reference" in
DOMElement->setAttribute
Status: Bogus
Type: Bug
Package: DOM XML related
Operating System: *
PHP Version: 5.*, 6
Block user comment: N
Private report: N
New Comment:
With simpleXML, addChild($name, $value) works really weird (tested on
5.3.1 on win): in the value, the characters < and > are correctly
esacped to < and > but ampersands cause the "unterminated entity
reference" message. I would understand if it escaped nothing, or if it
escaped everything, but this seems weird.
Also, no matter what the final decision about this bug will be, this
should be documented really well in the SimpleXML docs. It is confusing
and I could imagine it could cause security issues in some applications.
Previous Comments:
------------------------------------------------------------------------
[2010-09-22 01:02:27] steven at navolutions dot com
I also had this issue, one thing that might not have been included in
the original reproducing of the code is that the DOMElement may have
been extended. I know mine is extended so Reproduce the code by
extending the DOMElement class. I also extended the DOMDocuement class
so try that too. So no the status is not Bogus, just to tested
thoroughly.
------------------------------------------------------------------------
[2010-04-09 14:01:23] [email protected]
Behavior as defined by DOM specs. No warnings are issued are from either
of the 2
examples in the reproduced code.
addChild() method described in later reports works are defined by specs.
Use the
simplexml property accessors for auto escaping.
------------------------------------------------------------------------
[2010-02-04 18:23:10] jalday at delivery dot com
Still seeing this issue...
$order_x->addChild('location', '1st & 52nd');
gives "Warning: SimpleXMLElement::addChild(): unterminated entity
reference"
If I run it as
$order_x->addChild('location', htmlspecialchars('1st & 52nd'));
I have no problems.
------------------------------------------------------------------------
[2009-10-22 16:28:09] gary dot malcolm at gmail dot com
I'm running PHP 5.2.9 on Linux and this bug is still alive and well
making SimpleXml absolutely inappropriate for XML communications between
systems.
<code>
$safe_value = preg_replace('/&(?!\w+;)/', '&', $value);
return $sxml->addChild($name, $safe_value);
</code>
Is just plain wrong. I'm communicating user input directly to a bank as
I can't know how the third party will parse their xml.
------------------------------------------------------------------------
[2008-04-03 23:15:04] rob at electronicinsight dot com
A little hack to get around this bug:
function &safe_add_child(&$sxml, $name, $value) {
$safe_value = preg_replace('/&(?!\w+;)/', '&', $value);
return $sxml->addChild($name, $safe_value);
}
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=36795
--
Edit this bug report at http://bugs.php.net/bug.php?id=36795&edit=1
