Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Escaping not handling utf8 chars when mbstring.func_overload activated #6201

Closed
semos opened this issue Apr 28, 2014 · 11 comments
Closed

Escaping not handling utf8 chars when mbstring.func_overload activated #6201

semos opened this issue Apr 28, 2014 · 11 comments
Assignees
@padraic
Labels
bug Escaper To Be Closed

Comments

@semos
Copy link

semos commented Apr 28, 2014

In line 252 of file Zend/Escaper/Escaper.php, we have :

if (strlen($chr) > 1) {

But with mbstring.func_overload set to 2, 6 or 7, it must use mb_orig_strlen to know if it is a multi-bytes character or not.

If it doesn't, the hex and ord values are based on UTF-8 value, for example C3A9 for a "é" and gets converted to &#xC3A9 instead of &#xE9 :

if (strlen($chr) > 1) { //We never enter there
        $chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
}
$hex = bin2hex($chr);
$ord = hexdec($hex);

The problem is present with the mail() function too, and prevented us to send multi-part emails, I'm going to fill a report for this.
@Ocramius
Copy link
Member

@semos you just filled a report on this, but can you eventually provide a patch?

@Ocramius
Copy link
Member

@padraic can you check this one?

@Ocramius Ocramius added this to the 2.3.2 milestone Apr 29, 2014
@semos
Copy link
Author

semos commented Apr 29, 2014

@Ocramius, I'm not 100% sure not to introduce regressions with this patch, as it depends of server configuration.
I'll try to do it tomorrow.

@sasezaki
Copy link
Contributor

@semos @Ocramius
We already discussed about mbstring.func_overload.
http://zend-framework-community.634137.n4.nabble.com/Environment-amp-StringUtils-td4559272.html#a4564914
And in conclusion, mbstring.func_overload = Off is a requirement for ZF2.

@Ocramius
Copy link
Member

@sasezaki should we throw an exception in the escaper then?

@sasezaki
Copy link
Contributor

@Ocramius You mean when mbstring.func_overload is not off ?

@Ocramius
Copy link
Member

Correct. We should prevent misuse of the escaper if it doesn't support a particular environment.

@sasezaki
Copy link
Contributor

mbstring.func_overload = on is indeed particular environment, but it's mostly near "register_globals".
So, I prefer checking environment when installing (if composer - pre-install-cmd etc)

@Ocramius
Copy link
Member

Ocramius commented Aug 6, 2014

@sasezaki just checked: we can't run install scripts except for in the root package... not viable.

@sasezaki
Copy link
Contributor

sasezaki commented Aug 6, 2014

@Ocramius okay, throwing an Exception is right.

@Thinkscape Thinkscape mentioned this issue Aug 26, 2014
Open
7 tasks
@GeeH
Copy link

GeeH commented Jun 27, 2016

This issue has been closed as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html

@GeeH GeeH closed this as completed Jun 27, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@padraic padraic

Labels
bug Escaper To Be Closed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@padraic @sasezaki @Ocramius @GeeH @semos