Bug #36795 [Com]: Inappropriate "unterminated entity reference" in DOMElement->setAttribute
Edit report at https://bugs.php.net/bug.php?id=36795&edit=1 ID: 36795 Comment by: hanskrentel at yahoo dot de Reported by:john at carney dot id dot au Summary:Inappropriate "unterminated entity reference" in DOMElement->setAttribute Status: Not a bug Type: Bug Package:DOM XML related Operating System: * PHP Version:5.*, 6 Block user comment: N Private report: N New Comment: This is bogus because & as character is needed in the attribute values to start an entity to express character references. Otherwise it would not be possible to set the superset of all XML attribute values (AttValue; http://www.w3.org/TR/xml/#NT- AttValue), the expression wouldn't be distinct. Like you need to write "\t" in a PHP string to express a tab and therefore "\\" to express the slash. I hope this clarifies this a bit. Previous Comments: [2011-10-08 18:33:10] matteosistisette at gmail dot com I'm still observing this issue (by the way, why is it marked as "bogus"?). Even the simplexml property accessors does give me the warning, such as: $a['b'] = "& < '"; // GENERATES THE WARNING [2011-09-11 01:40:13] abxccd at msn dot com I am still seeing this bug in PHP 5.3.8 [2011-02-23 03:30:34] jan-bugreport at gmx dot de With simpleXML, addChild($name, $value) works really weird (tested on 5.3.1 on win): in the value, the characters < and > are correctly esacped to < and > but ampersands cause the "unterminated entity reference" message. I would understand if it escaped nothing, or if it escaped everything, but this seems weird. Also, no matter what the final decision about this bug will be, this should be documented really well in the SimpleXML docs. It is confusing and I could imagine it could cause security issues in some applications. [2010-09-22 01:02:27] steven at navolutions dot com I also had this issue, one thing that might not have been included in the original reproducing of the code is that the DOMElement may have been extended. I know mine is extended so Reproduce the code by extending the DOMElement class. I also extended the DOMDocuement class so try that too. So no the status is not Bogus, just to tested thoroughly. [2010-04-09 14:01:23] rricha...@php.net Behavior as defined by DOM specs. No warnings are issued are from either of the 2 examples in the reproduced code. addChild() method described in later reports works are defined by specs. Use the simplexml property accessors for auto escaping. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=36795 -- Edit this bug report at https://bugs.php.net/bug.php?id=36795&edit=1
Bug #36795 [Com]: Inappropriate "unterminated entity reference" in DOMElement->setAttribute
Edit report at https://bugs.php.net/bug.php?id=36795&edit=1 ID: 36795 Comment by: matteosistisette at gmail dot com Reported by:john at carney dot id dot au Summary:Inappropriate "unterminated entity reference" in DOMElement->setAttribute Status: Bogus Type: Bug Package:DOM XML related Operating System: * PHP Version:5.*, 6 Block user comment: N Private report: N New Comment: I'm still observing this issue (by the way, why is it marked as "bogus"?). Even the simplexml property accessors does give me the warning, such as: $a['b'] = "& < '"; // GENERATES THE WARNING Previous Comments: [2011-09-11 01:40:13] abxccd at msn dot com I am still seeing this bug in PHP 5.3.8 [2011-02-23 03:30:34] jan-bugreport at gmx dot de With simpleXML, addChild($name, $value) works really weird (tested on 5.3.1 on win): in the value, the characters < and > are correctly esacped to < and > but ampersands cause the "unterminated entity reference" message. I would understand if it escaped nothing, or if it escaped everything, but this seems weird. Also, no matter what the final decision about this bug will be, this should be documented really well in the SimpleXML docs. It is confusing and I could imagine it could cause security issues in some applications. [2010-09-22 01:02:27] steven at navolutions dot com I also had this issue, one thing that might not have been included in the original reproducing of the code is that the DOMElement may have been extended. I know mine is extended so Reproduce the code by extending the DOMElement class. I also extended the DOMDocuement class so try that too. So no the status is not Bogus, just to tested thoroughly. [2010-04-09 14:01:23] rricha...@php.net Behavior as defined by DOM specs. No warnings are issued are from either of the 2 examples in the reproduced code. addChild() method described in later reports works are defined by specs. Use the simplexml property accessors for auto escaping. [2010-02-04 18:23:10] jalday at delivery dot com Still seeing this issue... $order_x->addChild('location', '1st & 52nd'); gives "Warning: SimpleXMLElement::addChild(): unterminated entity reference" If I run it as $order_x->addChild('location', htmlspecialchars('1st & 52nd')); I have no problems. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=36795 -- Edit this bug report at https://bugs.php.net/bug.php?id=36795&edit=1
Bug #36795 [Com]: Inappropriate "unterminated entity reference" in DOMElement->setAttribute
Edit report at https://bugs.php.net/bug.php?id=36795&edit=1 ID: 36795 Comment by: abxccd at msn dot com Reported by:john at carney dot id dot au Summary:Inappropriate "unterminated entity reference" in DOMElement->setAttribute Status: Bogus Type: Bug Package:DOM XML related Operating System: * PHP Version:5.*, 6 Block user comment: N Private report: N New Comment: I am still seeing this bug in PHP 5.3.8 Previous Comments: [2011-02-23 03:30:34] jan-bugreport at gmx dot de With simpleXML, addChild($name, $value) works really weird (tested on 5.3.1 on win): in the value, the characters < and > are correctly esacped to < and > but ampersands cause the "unterminated entity reference" message. I would understand if it escaped nothing, or if it escaped everything, but this seems weird. Also, no matter what the final decision about this bug will be, this should be documented really well in the SimpleXML docs. It is confusing and I could imagine it could cause security issues in some applications. [2010-09-22 01:02:27] steven at navolutions dot com I also had this issue, one thing that might not have been included in the original reproducing of the code is that the DOMElement may have been extended. I know mine is extended so Reproduce the code by extending the DOMElement class. I also extended the DOMDocuement class so try that too. So no the status is not Bogus, just to tested thoroughly. [2010-04-09 14:01:23] rricha...@php.net Behavior as defined by DOM specs. No warnings are issued are from either of the 2 examples in the reproduced code. addChild() method described in later reports works are defined by specs. Use the simplexml property accessors for auto escaping. [2010-02-04 18:23:10] jalday at delivery dot com Still seeing this issue... $order_x->addChild('location', '1st & 52nd'); gives "Warning: SimpleXMLElement::addChild(): unterminated entity reference" If I run it as $order_x->addChild('location', htmlspecialchars('1st & 52nd')); I have no problems. [2009-10-22 16:28:09] gary dot malcolm at gmail dot com I'm running PHP 5.2.9 on Linux and this bug is still alive and well making SimpleXml absolutely inappropriate for XML communications between systems. $safe_value = preg_replace('/&(?!\w+;)/', '&', $value); return $sxml->addChild($name, $safe_value); Is just plain wrong. I'm communicating user input directly to a bank as I can't know how the third party will parse their xml. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=36795 -- Edit this bug report at https://bugs.php.net/bug.php?id=36795&edit=1
Bug #36795 [Com]: Inappropriate "unterminated entity reference" in DOMElement->setAttribute
Edit report at http://bugs.php.net/bug.php?id=36795&edit=1 ID: 36795 Comment by: jan-bugreport at gmx dot de Reported by:john at carney dot id dot au Summary:Inappropriate "unterminated entity reference" in DOMElement->setAttribute Status: Bogus Type: Bug Package:DOM XML related Operating System: * PHP Version:5.*, 6 Block user comment: N Private report: N New Comment: With simpleXML, addChild($name, $value) works really weird (tested on 5.3.1 on win): in the value, the characters < and > are correctly esacped to < and > but ampersands cause the "unterminated entity reference" message. I would understand if it escaped nothing, or if it escaped everything, but this seems weird. Also, no matter what the final decision about this bug will be, this should be documented really well in the SimpleXML docs. It is confusing and I could imagine it could cause security issues in some applications. Previous Comments: [2010-09-22 01:02:27] steven at navolutions dot com I also had this issue, one thing that might not have been included in the original reproducing of the code is that the DOMElement may have been extended. I know mine is extended so Reproduce the code by extending the DOMElement class. I also extended the DOMDocuement class so try that too. So no the status is not Bogus, just to tested thoroughly. [2010-04-09 14:01:23] rricha...@php.net Behavior as defined by DOM specs. No warnings are issued are from either of the 2 examples in the reproduced code. addChild() method described in later reports works are defined by specs. Use the simplexml property accessors for auto escaping. [2010-02-04 18:23:10] jalday at delivery dot com Still seeing this issue... $order_x->addChild('location', '1st & 52nd'); gives "Warning: SimpleXMLElement::addChild(): unterminated entity reference" If I run it as $order_x->addChild('location', htmlspecialchars('1st & 52nd')); I have no problems. [2009-10-22 16:28:09] gary dot malcolm at gmail dot com I'm running PHP 5.2.9 on Linux and this bug is still alive and well making SimpleXml absolutely inappropriate for XML communications between systems. $safe_value = preg_replace('/&(?!\w+;)/', '&', $value); return $sxml->addChild($name, $safe_value); Is just plain wrong. I'm communicating user input directly to a bank as I can't know how the third party will parse their xml. [2008-04-03 23:15:04] rob at electronicinsight dot com A little hack to get around this bug: function &safe_add_child(&$sxml, $name, $value) { $safe_value = preg_replace('/&(?!\w+;)/', '&', $value); return $sxml->addChild($name, $safe_value); } The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=36795 -- Edit this bug report at http://bugs.php.net/bug.php?id=36795&edit=1
Bug #36795 [Com]: Inappropriate "unterminated entity reference" in DOMElement->setAttribute
Edit report at http://bugs.php.net/bug.php?id=36795&edit=1 ID: 36795 Comment by: steven at navolutions dot com Reported by:john at carney dot id dot au Summary:Inappropriate "unterminated entity reference" in DOMElement->setAttribute Status: Bogus Type: Bug Package:DOM XML related Operating System: * PHP Version:5.*, 6 Block user comment: N New Comment: I also had this issue, one thing that might not have been included in the original reproducing of the code is that the DOMElement may have been extended. I know mine is extended so Reproduce the code by extending the DOMElement class. I also extended the DOMDocuement class so try that too. So no the status is not Bogus, just to tested thoroughly. Previous Comments: [2010-04-09 14:01:23] rricha...@php.net Behavior as defined by DOM specs. No warnings are issued are from either of the 2 examples in the reproduced code. addChild() method described in later reports works are defined by specs. Use the simplexml property accessors for auto escaping. [2010-02-04 18:23:10] jalday at delivery dot com Still seeing this issue... $order_x->addChild('location', '1st & 52nd'); gives "Warning: SimpleXMLElement::addChild(): unterminated entity reference" If I run it as $order_x->addChild('location', htmlspecialchars('1st & 52nd')); I have no problems. [2009-10-22 16:28:09] gary dot malcolm at gmail dot com I'm running PHP 5.2.9 on Linux and this bug is still alive and well making SimpleXml absolutely inappropriate for XML communications between systems. $safe_value = preg_replace('/&(?!\w+;)/', '&', $value); return $sxml->addChild($name, $safe_value); Is just plain wrong. I'm communicating user input directly to a bank as I can't know how the third party will parse their xml. [2008-04-03 23:15:04] rob at electronicinsight dot com A little hack to get around this bug: function &safe_add_child(&$sxml, $name, $value) { $safe_value = preg_replace('/&(?!\w+;)/', '&', $value); return $sxml->addChild($name, $safe_value); } [2008-02-08 20:09:37] moshe at varien dot com PHP 5.2.4 Looks like the problem appears when there's node already exists being overwritten // works ok, doesn't require encoding: $a = simplexml_load_string(''); $a->b = "& < ' "; // doesn't work, requires encoding: $a = simplexml_load_string('test'); $a->b = "& < ' "; // doesn't work, always requires encoding $a->addChild('b', "& < '"); $a->addAttribute('b', "& < '"); // works ok, never requires encoding $a['b'] = "& < '"; The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=36795 -- Edit this bug report at http://bugs.php.net/bug.php?id=36795&edit=1