(Wietse Venema) wrote:
laurent jouanneau:
(Wietse Venema) wrote:
To give an idea of the functionality, consider the following program
with an obvious HTML injection bug:
<?php
$username = $_GET['username'];
echo "Welcome back, $username\n";
?>
With default .ini settings, this program does exactly what the
programmer wrote: it echos the contents of the username request
attribute, including all the malicious HTML code that an attacker
may have supplied along with it.
When I change one .ini setting:
taint_error_level = E_WARNING
the program produces the same output, but it also produces a warning:
Warning: echo(): Argument contains data that is not converted
with htmlspecialchars() or htmlentities() in /path/to/script
on line 3
A PHP application doesn't always generate HTML : it can generate JSON,
CSV, PDF etc.. In this case, we don't have to call htmlspecialchars etc..
In that case, I suppose you would not be using echo, so there
is no problem.
You wouldn't? So, when outputting a script-generated pdf file, how would
you do that if not using echo? (and thus also not print since that's
pretty much the exact same thing)
Wietse
Is this warning appearing also when you want to output datas other than
HTML ? If no, how your code guess the output type ? If yes, how can we
disable this warning in pages which produce JSON etc. ?
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
