Edit report at https://bugs.php.net/bug.php?id=62013&edit=1
ID: 62013 Updated by: [email protected] Reported by: c dot noesterer at gmail dot com Summary: Htmlentities doesn't convert the characters (,),: to a named entity -Status: Open +Status: Not a bug Type: Bug Package: Filter related Operating System: Linux 3.3.4-1-ARCH PHP Version: 5.4.3 Block user comment: N Private report: N New Comment: You are using the wrong function. htmlentities() for encoding entities special to HTML. Inside an href tag you don't have HTML, you have a URL so you need to use urlencode(). Previous Comments: ------------------------------------------------------------------------ [2012-05-13 01:01:07] c dot noesterer at gmail dot com Description: ------------ Htmlentities doesn't convert the characters (,),: to a named entity. Therefore a XSS-attack works for the script attached: ?test=javascript:alert(1); Test script: --------------- <!DOCTYPE html> <html> <head> <title>Test</title> </head> <body> <?php echo '<a href='.htmlentities($_GET["test"]).'>test</a>'; ?> </body> </html> Expected result: ---------------- <a href=javascript:alert(1)>test</a> Actual result: -------------- <a href=javascript:alert(1);>test</a> ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62013&edit=1
