469,338 Members | 8,161 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,338 developers. It's quick & easy.

PHP XML_Unserializer is removing some important characters

2
Hello Everyone,

This is a PHP/XML query.

I'm using XML_Unserializer from the PEAR package to convert some XML to a php array. The XML is very basic:

<response status="SUCCESS">
<object>some character data</object>
</response>

The problem I'm facing is that if "some character data" contains &lt; or &gt; (for < and >), these characters are being removed from the result.

"some character data" is usually HTML so what it needs to do is convert the &lt; and &gt; back to < and > rather than delete them.

I've looked through the XML_Unserializer code but haven't been able to determine when the characters are deleted.

Any help is greatly appreciated.

David.
Sep 24 '08 #1
4 3365
Dormilich
8,651 Expert Mod 8TB
when I used the wddx (de)serializer, it was converting the & of my entities to &amp; and back. it could be (tho I don't know the PEAR unserializer enough) your &lt; and &gt; are converted to < and > and then removed for security reasons???

you could test what happens to &amp;lt; maybe this can give you a hint....
Sep 24 '08 #2
dt84
2
Thanks Dormilich for the reply,

I tried it with "&amp;lt;" and the output was "lt;" so it appears XML_Unserializer is also not converting "&amp;" to "&".

Here's the code I'm using to test:

[PHP]
require_once('XML/Unserializer.php');

$some_text = '&lt;strong&gt;bold text&lt;strong&gt;';
$body = '<?xml version="1.0" encoding="UTF-8"?><response status="SUCCESS"><object>'.$some_text.'</object></response>';

$unserializer = new XML_Unserializer();
$result = $unserializer->unserialize($body);
if (!PEAR::isError($result)) {
$results = $unserializer->getUnserializedData();
if (empty($results)) {
echo 'EMPTY!';
}
else {
echo $results['object'];
}
}
else {
echo 'ERROR!';
}
[/PHP]

The above code should echo bold text but it's currently echoing "strongbold textstrong".

I'm not sure how to determine if it's a security issue.

David.
Sep 26 '08 #3
Dormilich
8,651 Expert Mod 8TB
having a look at the docs, they call the unserializer
[PHP]XML_Unserializer::unserialize (string $data [, boolean $isFile = FALSE [, array $options = NULL]])
string XML_Unserializer::getUnserializedData ()[/PHP]
maybe you need to redefine some options?
Sep 29 '08 #4

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

3 posts views Thread by mr_burns | last post: by
2 posts views Thread by matt | last post: by
1 post views Thread by Phil Amey | last post: by
4 posts views Thread by SatishPasala | last post: by
1 post views Thread by Max | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by Purva khokhar | last post: by
1 post views Thread by haryvincent176 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.