-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Escaping not handling utf8 chars when mbstring.func_overload activated #6201
Comments
@semos you just filled a report on this, but can you eventually provide a patch? |
@padraic can you check this one? |
@Ocramius, I'm not 100% sure not to introduce regressions with this patch, as it depends of server configuration. |
@semos @Ocramius |
@sasezaki should we throw an exception in the escaper then? |
@Ocramius You mean when mbstring.func_overload is not off ? |
Correct. We should prevent misuse of the escaper if it doesn't support a particular environment. |
mbstring.func_overload = on is indeed particular environment, but it's mostly near "register_globals". |
@sasezaki just checked: we can't run install scripts except for in the root package... not viable. |
@Ocramius okay, throwing an Exception is right. |
This issue has been closed as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html |
In line 252 of file Zend/Escaper/Escaper.php, we have :
But with mbstring.func_overload set to 2, 6 or 7, it must use mb_orig_strlen to know if it is a multi-bytes character or not.
If it doesn't, the hex and ord values are based on UTF-8 value, for example C3A9 for a "é" and gets converted to 쎩 instead of é :
The problem is present with the mail() function too, and prevented us to send multi-part emails, I'm going to fill a report for this.
The text was updated successfully, but these errors were encountered: