PEAK XOOPS - News 
A Trap with get_html_translation_table()
You may know unhtmlspecialchars() has implemented into PHP.
With former versions of PHP, we had made such a custom function using get_html_translation_table() like this:
function my_unhtmlspecialchars( $text , $quotes = ENT_QUOTES )
{
return strtr( $text , array_flip( get_html_translation_table( HTML_SPECIALCHARS , $quotes ) ) ) ;
}
Recently, I find the function never convert & #039; into single quotes.
This is a result of my investigation.
Code:
<?php
var_dump( htmlspecialchars( '"\'<>&' , ENT_QUOTES ) ) ;
var_dump( get_html_translation_table( HTML_SPECIALCHARS , ENT_QUOTES ) ) ;
?>
Result:
string(25) "& quot;& #039;& lt;& gt;& amp;"
array(5) {
["""]=>
string(6) "& quot;"
["'"]=>
string(5) "& #39;"
["<"]=>
string(4) "& lt;"
[">"]=>
string(4) "& gt;"
["& "]=>
string(5) "& amp;"
}
& #039 and & #39; ...
This bug(?) are alive in PHP versions from PHP 4.3.10 to 5.2.5 at least.
We have to consider this trap for some time.
WYSIWYG Editors require "allow HTML" for the system.
But it must invite "Script Insertion" attacks easily.
kentauls told me HTMLPurifier.
http://htmlpurifier.org/
It looks great especially smoketest for XSS.
You should know HTMLPurifier can work with PHP5 only though the documentation tells us that it can work with PHP>=4.3.2.
Anyway, I've included this library into Protector.
You can try "postcommon_post_htmlpurify4guest.php" as protector's filter plugin.
But, it is just a sample.
I'll modify my modules can use HTMLPurifier as necessary by config.
HTMLPurifier allows us "WYSIWYG forum" etc.
There are important difference in order of functions for shutdown and output-buffering between PHP4.x/5.0.x and PHP5.1
<?php
register_shutdown_function( 'sf' ) ;
ob_start( 'ob' ) ;
echo 'main ' ;
function ob( $s )
{
return $s.'ob ' ;
}
function sf()
{
echo 'sf ' ;
}
?>The results excecuting this code...
PHP4.4.4 and PHP5.0.3
main ob sf PHP5.1.3
main sf ob You can understand they are far different each other.
Thus, we have to code like this style for cushoning the versions of PHP.
<?php
register_shutdown_function( 'sf' ) ;
ob_start( 'ob' ) ;
echo 'main ' ;
function ob( $s )
{
return $s.'ob ' ;
}
function sf()
{
while( @ob_end_flush() ) ; // here
echo 'sf ' ;
}
?>With this code, Both PHP4.x/5.0.x and PHP5.1.x run same order. (main, ob, sf)
If you want the order of (main, sf, ob), you have to call the shutdown function from the output-buffering function.
array_map() the built-in function of PHP is fast and useful one.
eg1) fetching an array of integer from a textbox. [1,2,3,4]
You can get it by just a line.
$myarray = array_map( 'intval' , explode( ',' , $post_data ) ) ;
eg2) merging arrays with unique elements of arrays or objects
Neither "operator +" nor array_merge() are enough for the purpose.
You can use array_map() usefully like this.
$merged_array = array_map( 'unserialize' , array_unique( array_map( 'serialize' , array_merge( $array1 , $array2 ) ) ) ) ;
Index specified by a boolean, a double, ant an int will be integer index via intval()
exception: out of the range of 32bit integer
Index specified by a string will be two type of index by the condition
/^[-]?[1-9][0-9]*$/
If the string matches this regex, it will be integer index.
Else, it will be string index (associated array).