From: ibrash at gmail dot com Operating system: N/A PHP version: 5.0.1 PHP Bug Type: Session related Bug description: URL rewriting uses raw value of arg_separator.output, not HTML-escaped value
Description: ------------ The behavior described in the title is quite familiar to those who use the session extension and the transparent SID URL rewriting. I'm aware that until now, the most often recommended solution for those seeking (X)HTML validity is to use & for arg_separator.output. However, URL rewriting is no longer the only thing that uses this directive and it's not being used consistently. In PHP 5, http_build_query uses this directive to create URL query strings. The problem arises in that while the HTML representation of a URL might be http://example.com/foo.php?bar=42&baz=6x9, the URL itself is http://example.com/foo.php?bar=42&baz=6x9. It makes sense for the URL rewriting to use an HTML-escaped version of arg_separator.output (it's operating in an HTML context) while http_build_query uses the raw version (it's creating a generic URL query string). Unfortunately, this represents a minor BC break for those who have set arg_separator.output to & as the HTML-escaped version of this is &amp;. By far, the better workaround to have given these people would have been changing arg_separator.output to ; and arg_separator.input to &;. Still, the PHP 5 line is young so this would probably be the best time to fix it and make URL rewriting use the HTML representation of arg_separator.output instead of the raw value. Reproduce code: --------------- <?php ini_set('arg_separator.output', '&'); ini_set('session.use_only_cookies', 0); ini_set('session.use_cookies', 0); ini_set('session.use_trans_sid', 1); ini_set('url_rewriter.tags', 'a=href,area=href,frame=src,input=src'); session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> <body> <p><a href="foo.php?<?php $data = array('bar' => 42, 'baz' => '6x9'); print htmlentities(http_build_query($data)); ?>">Sample Link</a></p> </body> </html> Expected result: ---------------- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> <body> <p><a href="foo.php?bar=42&baz=6x9&PHPSESSID=qgdt7l0pef5ra4mrmuosth42ks88k77t">Sample Link</a></p> </body> </html> Actual result: -------------- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en"> <body> <p><a href="foo.php?bar=42&baz=6x9&PHPSESSID=qgdt7l0pef5ra4mrmuosth42ks88k77t">Sample Link</a></p> </body> </html> (Note the &PHPSESSID) -- Edit bug report at http://bugs.php.net/?id=30049&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30049&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30049&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30049&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=30049&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=30049&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=30049&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=30049&r=needscript Try newer version: http://bugs.php.net/fix.php?id=30049&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=30049&r=support Expected behavior: http://bugs.php.net/fix.php?id=30049&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=30049&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=30049&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=30049&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30049&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=30049&r=dst IIS Stability: http://bugs.php.net/fix.php?id=30049&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=30049&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=30049&r=float MySQL Configuration Error: http://bugs.php.net/fix.php?id=30049&r=mysqlcfg
