PHP XML_Unserializer is removing some important characters

when I used the wddx (de)serializer, it was converting the & of my entities to &amp; and back. it could be (tho I don't know the PEAR unserializer enough) your &lt; and &gt; are converted to < and > and then removed for security reasons???

you could test what happens to &amp;lt; maybe this can give you a hint....

Thanks Dormilich for the reply,

I tried it with "&amp;lt;" and the output was "lt;" so it appears XML_Unserializer is also not converting "&amp;" to "&".

Here's the code I'm using to test:

[PHP]
require_once('XML/Unserializer.php');

$some_text = '&lt;strong&gt;bold text&lt;strong&gt;';
$body = '<?xml version="1.0" encoding="UTF-8"?><response status="SUCCESS"><object>'.$some_text.'</object></response>';

$unserializer = new XML_Unserializer();
$result = $unserializer->unserialize($body);
if (!PEAR::isError($result)) {
$results = $unserializer->getUnserializedData();
if (empty($results)) {
echo 'EMPTY!';
}
else {
echo $results['object'];
}
}
else {
echo 'ERROR!';
}
[/PHP]

The above code should echo bold text but it's currently echoing "strongbold textstrong".

I'm not sure how to determine if it's a security issue.

David.

having a look at the docs, they call the unserializer
[PHP]XML_Unserializer::unserialize (string $data [, boolean $isFile = FALSE [, array $options = NULL]])
string XML_Unserializer::getUnserializedData ()[/PHP]
maybe you need to redefine some options?

See http://forums.phpfreaks.com/topic/17...gt-from-cdata/