Bug #61354 [Com]: htmlentities and htmlspecialchars doesn't respect the default_charset

[stemind at gmail dot com]

Edit report at https://bugs.php.net/bug.php?id=61354&edit=1

 ID:                 61354
 Comment by:         stemind at gmail dot com
 Reported by:        hufeng1987 at gmail dot com
 Summary:            htmlentities and htmlspecialchars doesn't respect
                     the default_charset
 Status:             Not a bug
 Type:               Bug
 Package:            Strings related
 Operating System:   Linux/Windows/
 PHP Version:        5.4.0
 Block user comment: N
 Private report:     N

 New Comment:

Zend should be convinced. The Zend htmlspecialchars Initiative 
http://ufive.ch/tzhi/


Previous Comments:
------------------------------------------------------------------------
[2013-07-12 13:15:06] kstirn at gmail dot com

Instead of moving on to PHP 5.4 and PHP 5.5 thousands of servers will stay with 
legacy PHP 5.3 due to this single, easy to solve (ini setting) issue that the 
PHP team has decided to ignore.

------------------------------------------------------------------------
[2013-07-12 10:57:40] tototation at gmail dot com

Yes, i'm interested too to understand that fact.
I recently upgrade my server, and ALL my code is unusable !
A search in code found +470 000 words htmlentities or htmlspecialchars !!!!!
HOW TO CHANGE ALL THIS ????? THAT'S IMPOSSIBLE !!!!!!!!

Thanks, we must stop all our services and websites.
Just for a stupid thing.

------------------------------------------------------------------------
[2013-06-15 22:51:31] jbolder42 at yahoo dot com

I was wondering if someone could enlighten me by explaining why this:

htmlspecialchars($str, ENT_QUOTES, "ISO-8859-1");

... would be considered any more secure than something like this:

ini_set("html.default_charset", "ISO-8859-1");
htmlspecialchars($str, ENT_QUOTES);

Thank you!

------------------------------------------------------------------------
[2013-05-20 18:14:25] kstirn at gmail dot com

@minder at ufive dot unibe dot ch

Yes, this can be done, but still means we would have to manually modify 
hundreds of legacy scripts on the server (many third party and many 
obfuscated/encoded)  to be able to upgrade to PHP 5.4. 

It would be really easy to fix with an ini setting and it would indeed make 
sense to have a setting for such a huge default change. I am disappointed that 
the PHP dev team has decided to completely ignore the issue.

------------------------------------------------------------------------
[2013-05-19 13:10:13] minder at ufive dot unibe dot ch

For legacy projects in latin1 we substitute htmlspecialchars with the self-made 
function htmlXspecialchars according to these instructions: 
http://ufive.unibe.ch/?c=php54entitiesfix&q=&l=e

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=61354


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=61354&edit=1