From 3e78b76ce4215a4927bf0926de9fbe4594e2e2b8 Mon Sep 17 00:00:00 2001
From: Christoph Michael Becker <cmb@php.net>
Date: Tue, 21 Jun 2016 16:14:05 +0000
Subject: [PATCH] Fix #39521: DOMDocument::createElement() does not escape its
 parameters properly

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@339438 c90b9560-bf6c-de11-be94-00142212c4b1
---
 reference/dom/domdocument/createelement.xml | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/reference/dom/domdocument/createelement.xml b/reference/dom/domdocument/createelement.xml
index 028e0d0bc8..cc9ca799f2 100644
--- a/reference/dom/domdocument/createelement.xml
+++ b/reference/dom/domdocument/createelement.xml
@@ -37,6 +37,12 @@
        The value can also be set later with <link
        linkend="domnode.props.nodevalue">DOMElement::$nodeValue</link>.
       </para>
+      <para>
+       The value is used verbatim except that the &lt; and &gt; entity
+       references will escaped. Note that &amp; has to be manually escaped;
+       otherwise it is regarded as starting an entity reference. Also " won't be
+       escaped.
+      </para>
      </listitem>
     </varlistentry>
    </variablelist>
@@ -89,6 +95,29 @@ echo $dom->saveXML();
 <![CDATA[
 <?xml version="1.0" encoding="utf-8"?>
 <test>This is the root element!</test>
+]]>
+    </screen>
+   </example>
+  </para>
+  <para>
+   <example>
+    <title>Passing text containing an unescaped &amp; as <parameter>value</parameter></title>
+    <programlisting role="php">
+<![CDATA[
+<?php
+$dom = new DOMDocument('1.0', 'utf-8');
+$element = $dom->createElement('foo', 'me & you');
+$dom->appendChild($element);
+echo $dom->saveXML();
+?>
+]]>
+    </programlisting>
+    &example.outputs.similar;
+    <screen>
+<![CDATA[
+Warning: DOMDocument::createElement(): unterminated entity reference             you in /in/BjTCg on line 4
+<?xml version="1.0" encoding="utf-8"?>
+<foo/>
 ]]>
     </screen>
    </example>