PHP XML_Unserializer is removing some important characters

**Dormilich** · Sep 24 '08, 06:38 AM

when I used the wddx (de)serializer, it was converting the & of my entities to & and back. it could be (tho I don't know the PEAR unserializer enough) your < and > are converted to < and > and then removed for security reasons???

you could test what happens to &lt; maybe this can give you a hint....

**dt84** · Sep 26 '08, 12:15 AM

Thanks Dormilich for the reply,

I tried it with "&lt;" and the output was "lt;" so it appears XML_Unserialize r is also not converting "&" to "&".

Here's the code I'm using to test:

[PHP]
require_once('X ML/Unserializer.ph p');

$some_text = '<strong> bold text<strong& gt;';
$body = '<?xml version="1.0" encoding="UTF-8"?><respons e status="SUCCESS "><object>'.$so me_text.'</object></response>';

$unserializer = new XML_Unserialize r();
$result = $unserializer->unserialize($b ody);
if (!PEAR::isError ($result)) {
$results = $unserializer->getUnserialize dData();
if (empty($results )) {
echo 'EMPTY!';
}
else {
echo $results['object'];
}
}
else {
echo 'ERROR!';
}
[/PHP]

The above code should echo bold text but it's currently echoing "strongbold textstrong".

I'm not sure how to determine if it's a security issue.

David.

**Dormilich** · Sep 29 '08, 10:03 AM

having a look at the docs, they call the unserializer
[PHP]XML_Unserialize r::unserialize (string $data [, boolean $isFile = FALSE [, array $options = NULL]])
string XML_Unserialize r::getUnseriali zedData ()[/PHP]
maybe you need to redefine some options?

**naznaz** · Apr 4 '13, 05:09 AM

See http://forums.phpfreaks.com/topic/17...gt-from-cdata/

PHP XML_Unserializer is removing some important characters

PHP XML_Unserializer is removing some important characters

Comment

Comment

Comment

Comment