I found these
The error handling output was found to not properly escape HTML output in
> certain cases. An attacker could use this flaw to perform cross-site
> scripting attacks against sites where both display_errors and html_errors
> are enabled.
>
http://www.nessus.org/plugins/index.php?view=
[Ignore this thread, the ML was stupid last night]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
hi,
On Thu, Jun 23, 2011 at 11:40 PM, Derick Rethans wrote:
> They are not useful in production, but as distributions use the
> "php.ini-production", even PHP developer that uses a distribution
> package now doesn't use the "php.ini-development" settings. Hence, no
> more HTML errors and people
Hi,
Op 23 jun. 2011 om 21:47 heeft Derick Rethans het
volgende geschreven:
> Hi!
>
> In PHP 5.2 and earlier, the html_errors setting has always been on by
> default (in the code, in php.ini-dist and in php.ini-recommended). Since
> PHP 5.3, it's still on by default in the code and in
> php.
On Thu, Jun 23, 2011 at 11:44 PM, John Crenshaw wrote:
> > I'd like to hear and explanation how production setting of html_errors as
> 1 is useful.
>
> One that comes to mind is in conjunction with an error trap (output buffer
> hack to catch fatal errors and immediately notify an administrator).
> I'd like to hear and explanation how production setting of html_errors as 1
> is useful.
One that comes to mind is in conjunction with an error trap (output buffer hack
to catch fatal errors and immediately notify an administrator). I could imagine
using html_errors specifically because it wo
On Thu, 23 Jun 2011, Stas Malyshev wrote:
> On 6/23/11 12:47 PM, Derick Rethans wrote:
> > I'd like to revert this change *and* change when the docrefs are
> > shown, so that in 5.4 and trunk:
> > - html_errors is on by default again.
> > - the docref links are only shown when docref_root is not e
On Thu, Jun 23, 2011 at 11:28 PM, Stas Malyshev wrote:
> Hi!
>
>
> On 6/23/11 12:47 PM, Derick Rethans wrote:
>
>> I'd like to revert this change *and* change when the docrefs are
>> shown, so that in 5.4 and trunk:
>> - html_errors is on by default again.
>> - the docref links are only shown when
On Thu, 23 Jun 2011, Ferenc Kovacs wrote:
> On Thu, Jun 23, 2011 at 11:22 PM, Stas Malyshev wrote:
>
> >> I'd like to revert this change *and* change when the docrefs are
> >> shown, so that in 5.4 and trunk:
> >> - html_errors is on by default again.
> >> - the docref links are only shown when
Hi!
On 6/23/11 12:47 PM, Derick Rethans wrote:
I'd like to revert this change *and* change when the docrefs are
shown, so that in 5.4 and trunk:
- html_errors is on by default again.
- the docref links are only shown when docref_root is not empty
A patch is attached. Comments?
Thinking more a
On Thu, Jun 23, 2011 at 11:26 PM, Ferenc Kovacs wrote:
>
>
> On Thu, Jun 23, 2011 at 11:22 PM, Stas Malyshev wrote:
>
>> Hi!
>>
>>
>> I'd like to revert this change *and* change when the docrefs are
>>> shown, so that in 5.4 and trunk:
>>> - html_errors is on by default again.
>>> - the docref l
On Thu, Jun 23, 2011 at 11:22 PM, Stas Malyshev wrote:
> Hi!
>
>
> I'd like to revert this change *and* change when the docrefs are
>> shown, so that in 5.4 and trunk:
>> - html_errors is on by default again.
>> - the docref links are only shown when docref_root is not empty
>>
>
> What about CLI
Hi!
I'd like to revert this change *and* change when the docrefs are
shown, so that in 5.4 and trunk:
- html_errors is on by default again.
- the docref links are only shown when docref_root is not empty
What about CLI PHP?
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcr
On Thu, 23 Jun 2011, Reindl Harald wrote:
> so if this is a problem for somebody he should consider not develop software
Please drop this kind of unconstructive comments on this mailinglist.
Derick
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.ne
Am 23.06.2011 21:47, schrieb Derick Rethans:
> Hi!
>
> In PHP 5.2 and earlier, the html_errors setting has always been on by
> default (in the code, in php.ini-dist and in php.ini-recommended). Since
> PHP 5.3, it's still on by default in the code and in
> php.ini-development, but php.ini-pro
Hi!
In PHP 5.2 and earlier, the html_errors setting has always been on by
default (in the code, in php.ini-dist and in php.ini-recommended). Since
PHP 5.3, it's still on by default in the code and in
php.ini-development, but php.ini-production has it off with the
following comment:
; When PHP
16 matches
Mail list logo
