472,131 Members | 1,323 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,131 software developers and data experts.

PHP XML_Unserializer is removing some important characters

Hello Everyone,

This is a PHP/XML query.

I'm using XML_Unserializer from the PEAR package to convert some XML to a php array. The XML is very basic:

<response status="SUCCESS">
<object>some character data</object>

The problem I'm facing is that if "some character data" contains &lt; or &gt; (for < and >), these characters are being removed from the result.

"some character data" is usually HTML so what it needs to do is convert the &lt; and &gt; back to < and > rather than delete them.

I've looked through the XML_Unserializer code but haven't been able to determine when the characters are deleted.

Any help is greatly appreciated.

Sep 24 '08 #1
4 3484
8,658 Expert Mod 8TB
when I used the wddx (de)serializer, it was converting the & of my entities to &amp; and back. it could be (tho I don't know the PEAR unserializer enough) your &lt; and &gt; are converted to < and > and then removed for security reasons???

you could test what happens to &amp;lt; maybe this can give you a hint....
Sep 24 '08 #2
Thanks Dormilich for the reply,

I tried it with "&amp;lt;" and the output was "lt;" so it appears XML_Unserializer is also not converting "&amp;" to "&".

Here's the code I'm using to test:


$some_text = '&lt;strong&gt;bold text&lt;strong&gt;';
$body = '<?xml version="1.0" encoding="UTF-8"?><response status="SUCCESS"><object>'.$some_text.'</object></response>';

$unserializer = new XML_Unserializer();
$result = $unserializer->unserialize($body);
if (!PEAR::isError($result)) {
$results = $unserializer->getUnserializedData();
if (empty($results)) {
echo 'EMPTY!';
else {
echo $results['object'];
else {
echo 'ERROR!';

The above code should echo bold text but it's currently echoing "strongbold textstrong".

I'm not sure how to determine if it's a security issue.

Sep 26 '08 #3
8,658 Expert Mod 8TB
having a look at the docs, they call the unserializer
[PHP]XML_Unserializer::unserialize (string $data [, boolean $isFile = FALSE [, array $options = NULL]])
string XML_Unserializer::getUnserializedData ()[/PHP]
maybe you need to redefine some options?
Sep 29 '08 #4

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

3 posts views Thread by mr_burns | last post: by
2 posts views Thread by matt | last post: by
1 post views Thread by Phil Amey | last post: by
4 posts views Thread by SatishPasala | last post: by
1 post views Thread by Max | last post: by
reply views Thread by leo001 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.