New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always use htmlspecialchars($str, ENT_COMPAT, 'UTF-8') #10399
Comments
Afaik, we usually define the encoding when using |
A quick search indicates that there are probably hundreds of locations where the call only has a single parameter. It looks like the parameters are omitted more often than used. |
And yet we have never had reports. Isn't this a server config issue?
|
Yes, in this case the issues were caused by a bad server configuration, but PHP documentation says that omitting the encoding parameter is not recommended. But as you still support PHP 5.3, you may get into troubles as the function call in PHP 5.3 still uses So not having those two extra parameters set is a bad idea in both PHP 5.3 and 5.6+. |
If it was just one or two places to edit then of course I would say go for On 11 May 2016 at 12:25, Matias Griese notifications@github.com wrote:
Brian Teeman |
So I'm a bit with Brian here. While it would be recommended to always specify the encoding in If someone wants to track down all occurances and fix them, go ahead. It could be a pain to test though. |
LOL, it looks that at least @zero-24 is working on this issue. :) I reported this issue as it took fairly long time to figure out what was wrong in the user setup and as it affected our software as well. And the warning was indeed caused by bad configuration. BTW: Would it be a good idea to introduce some common escape() method into Joomla? I hate using htmlspecialchars() for some obvious reasons. |
You mean something like https://github.com/joomla/joomla-cms/blob/staging/libraries/legacy/view/legacy.php#L347-L367 |
Yes, but something that can be used outside of views. |
Not sure if it makes sense for modules and plugins as those usually don't have that many strings to escape. |
Yeah, I agree its likely much bigger change, but it would prevent people from omitting parameters. But as you can see, nobody uses $this->escape() either in template files... :) |
That was my thinking as well, but a search proved me wrong 😄 |
Closed as @zero-24 is being a hero This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10399. |
I'm doing it step by step so it can be easily reviewed and tested 😄 |
Can we have something to abstract this dirty looking function call into something like: About the 3rd party developers we can't help much. I have seen many of them still using PS: If done so, we may deprecate the |
I'm not a huge fan of wrapping a native PHP function into an own static method. |
I can see one use for the method: being able to do better in PHP 5.4+:
That would not break if input is for some reason in non-UTF-8 encoding. |
One of our users ran into some issues with his Joomla installation because of his server had
default_charset=latin1
in php.ini.Documentation for
htmlspecialchars()
says that: "PHP 5.6: The default value for the encoding parameter was changed to be the value of the default_charset configuration option"The issue can be fixed by making sure that all
htmlspecialchars()
calls have encoding set.Additionally in my tests there is an issue if for some reason incoming encoding is wrong, which is easy to fix by using
ENT_SUBSTITUTE
(PHP 5.4+ only!):Results:
The text was updated successfully, but these errors were encountered: