[wp-trac] [WordPress Trac] #53465: PHP 8.1.: the default value of the flags parameter for htmlentities() et all needs to be explicitly set
WordPress Trac
noreply at wordpress.org
Sun Jun 20 18:19:22 UTC 2021
#53465: PHP 8.1.: the default value of the flags parameter for htmlentities() et
all needs to be explicitly set
------------------------------+-------------------------------
Reporter: jrf | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: 5.9
Component: General | Version:
Severity: normal | Keywords: needs-patch php81
Focuses: coding-standards |
------------------------------+-------------------------------
From the PHP 8.1 changelog:
> `htmlspecialchars()`, `htmlentities()`, `htmlspecialchars_decode()`,
> `html_entity_decode()` and `get_html_translation_table()` now use
> `ENT_QUOTES | ENT_SUBSTITUTE` rather than `ENT_COMPAT` by default. This
means
> that `'` is escaped to `'` while previously it was left alone.
> Additionally, malformed UTF-8 will be replaced by a Unicode substitution
> character, instead of resulting in an empty string.
Ref: https://github.com/php/php-
src/blob/28a1a6be0873a109cb02ba32784bf046b87a02e4/UPGRADING#L149-L154
If effect this means that the output of the above mentioned functions may
be different depending on the PHP version and the passed text string,
unless the `$flags` parameter is explicitly passed.
I've run an initial scan over WordPress core with a new (not yet
published) sniff for PHPCompatibility and this flags 33 issues.
* 1 issue in GetID3 which should be fixed upstream and the copy of GetID3
used in WP should be updated once the issue is fixed.
* 1 issue in PHPMailer which should be fixed upstream and the copy of
PHPMailer used in WP should be updated once the issue is fixed.
* 1 issue in SimplePie which should be fixed upstream and the copy of
SimplePie used in WP should be updated once the issue is fixed.
* And 30 issues in WP Core native code or code from external dependencies
which are no longer maintained externally.
Detailed issue list:
https://gist.github.com/jrfnl/9d56b4053faa62a0fe91dea1b14839bf
To fix this issue, the `$flags` parameter should be explicitly passed in
each of these function calls.
Some investigation will be needed for each of these instances to determine
what will be the optimal value for `$flags`.
Take note that the "old" parameter default in the function signature is
documented as `ENT_COMPAT`, while in the parameter detail documentation,
it states that the default, in actual fact, is ` ENT_COMPAT |
ENT_HTML401`.
However, by the looks of it, the full range of flag constants is available
to us, which is at least one less problem.
There is no mention of any of the flags being added since PHP 5.6.
Ref: https://php-legacy-docs.zend.com/manual/php5/en/string.constants
It is **strongly** recommended to make sure that for each of these at
least one unit test exists which exposes the difference in output between
PHP < 8.1 and PHP 8.1 to safeguard the fixes which will be added for the
future.
Also see:
* https://www.php.net/manual/en/function.htmlentities.php
* https://www.php.net/manual/en/function.html-entity-decode.php
* https://www.php.net/manual/en/function.htmlspecialchars.php
* https://www.php.net/manual/en/function.htmlspecialchars-decode.php
* https://www.php.net/manual/en/function.get-html-translation-table.php
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53465>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list