ID: 29570 Updated by: [EMAIL PROTECTED] Reported By: grangeway at blueyonder dot co dot uk -Status: Open +Status: Bogus Bug Type: Feature/Change Request Operating System: any PHP Version: 4.3.8 New Comment:
They are all escaped the same way. Previous Comments: ------------------------------------------------------------------------ [2004-08-08 12:47:27] grangeway at blueyonder dot co dot uk Description: ------------ Bug #24024 discusses the fact that _SERVER["argv"], does not convert html entities e.g. < to < as phpinfo() is a debugging tool, and is marked as bogus. If this is the case, and content should not be escaped as phpinfo is for debugging, then: _SERVER["QUERY_STRING"]</td><td class="v">test=<script>alert()</script></td></tr> should not escape < to < and should be consistent with the behaviour of _SERVER['argv']. At the moment, _SERVER['argv'] and GET['test'] / _SERVER["QUERY_STRING"]</ etc show different representations of the same string, where in reality the value is the same. Expected result: ---------------- Ideally All strings should be escaped. If not (i.e. if this would hinder debugging), then no strings should be escaped so that the output of any string in phpinfo matches the expected value given when running var_dump on the variable. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=29570&edit=1