Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Davey Shafik's Blog:
ext/dom and libxml2 charset and entities behaviors
Aug 11, 2009 @ 10:23:53

Davey Shafik points out a second option for the saveXML function of the DOM functionality in PHP - an option to restrict the use of "empty tags".

This argument currently only supports one value which is the constant LIBXML_NOEMPTYTAGS. This option makes sure that you do not end up with <tag /> but instead, <tag></tag>. This can make things easier if you need more predictable text to perform other changes on later.

He also noticed some other changes that the option made in his XML documents, specifically a size increase issue with spaces. Code samples are included to show these differences.

tagged: dom extension savexml charset libxml2 emptytags

Link:

Hardened-PHP Project:
WordPress Vulnerability Advisories (XSS & Trackbacks)
Jan 05, 2007 @ 13:26:15

The Hardened-PHP Project has posted two new advisories today, both dealing with WordPress issues - one is a trackback problem with decoding the charset and the other an XSS vulnerability.

The first advisory notes that:

While testing WordPress it was discovered that WordPress supports trackbacks in different charsets when PHP's mbstring extension is installed. This feature can be abused to bypass WordPress's SQL parameter escaping which leads to an SQL injection vulnerability that can result in a compromise of the admin account and end in a server compromise.

The second advisory talks about a problem with the WordPress admin interface that leaves it open to cross-site scripting issues.

The WordPress group has already released an updated version to resolve both of these issues. It is highly recommended that you update your installation immediately to prevent the exploits of either of these vulnerabilities.

tagged: vulnerability advisory wordpress crosssitescripting xss trackback charset vulnerability advisory wordpress crosssitescripting xss trackback charset

Link:

Hardened-PHP Project:
WordPress Vulnerability Advisories (XSS & Trackbacks)
Jan 05, 2007 @ 13:26:15

The Hardened-PHP Project has posted two new advisories today, both dealing with WordPress issues - one is a trackback problem with decoding the charset and the other an XSS vulnerability.

The first advisory notes that:

While testing WordPress it was discovered that WordPress supports trackbacks in different charsets when PHP's mbstring extension is installed. This feature can be abused to bypass WordPress's SQL parameter escaping which leads to an SQL injection vulnerability that can result in a compromise of the admin account and end in a server compromise.

The second advisory talks about a problem with the WordPress admin interface that leaves it open to cross-site scripting issues.

The WordPress group has already released an updated version to resolve both of these issues. It is highly recommended that you update your installation immediately to prevent the exploits of either of these vulnerabilities.

tagged: vulnerability advisory wordpress crosssitescripting xss trackback charset vulnerability advisory wordpress crosssitescripting xss trackback charset

Link: