Skip to content
This repository

Invalid escaping in renderBaseAttrs #31

Merged
merged 1 commit into from over 2 years ago

2 participants

Jakub Vrána Scott MacVicar
Jakub Vrána
Collaborator

Summary:
Second parameter of htmlspecialchars() is flags (int), not bool.
Value true is understood as 1 which means: quote single quotes, not double quotes

Test Plan:
New test

Jakub Vrana Invalid escaping in renderBaseAttrs()
Summary:
Second parameter of htmlspecialchars() is flags (int), not bool.
Value true is understood as 1 which means: quote single quotes, not double quotes

Test Plan:
New test
0a99f67
Scott MacVicar scottmac merged commit 17f05e1 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Feb 15, 2012
Jakub Vrana Invalid escaping in renderBaseAttrs()
Summary:
Second parameter of htmlspecialchars() is flags (int), not bool.
Value true is understood as 1 which means: quote single quotes, not double quotes

Test Plan:
New test
0a99f67
This page is out of date. Refresh to see the latest.

Showing 2 changed files with 10 additions and 1 deletion. Show diff stats Hide diff stats

  1. +1 1  php-lib/html.php
  2. +9 0 tests/attr-quotes.phpt
2  php-lib/html.php
@@ -65,7 +65,7 @@ public function requireUniqueId() {
65 65 $buf = '<'.$this->tagName;
66 66 foreach ($this->getAttributes() as $key => $val) {
67 67 if ($val !== null && $val !== false) {
68   - $buf .= ' ' . htmlspecialchars($key) . '="' . htmlspecialchars($val, true) . '"';
  68 + $buf .= ' ' . htmlspecialchars($key) . '="' . htmlspecialchars($val) . '"';
69 69 }
70 70 }
71 71 return $buf;
9 tests/attr-quotes.phpt
... ... @@ -0,0 +1,9 @@
  1 +--TEST--
  2 +Quotes in attribute
  3 +--FILE--
  4 +<?php
  5 +class xhp_a {}
  6 +$quote = '"';
  7 +echo <a b={$quote}>c</a>;
  8 +--EXPECT--
  9 +<a b="&quot;">c</a>

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.