From 3e78b76ce4215a4927bf0926de9fbe4594e2e2b8 Mon Sep 17 00:00:00 2001 From: Christoph Michael Becker Date: Tue, 21 Jun 2016 16:14:05 +0000 Subject: [PATCH] Fix #39521: DOMDocument::createElement() does not escape its parameters properly git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@339438 c90b9560-bf6c-de11-be94-00142212c4b1 --- reference/dom/domdocument/createelement.xml | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/reference/dom/domdocument/createelement.xml b/reference/dom/domdocument/createelement.xml index 028e0d0bc8..cc9ca799f2 100644 --- a/reference/dom/domdocument/createelement.xml +++ b/reference/dom/domdocument/createelement.xml @@ -37,6 +37,12 @@ The value can also be set later with DOMElement::$nodeValue. + + The value is used verbatim except that the < and > entity + references will escaped. Note that & has to be manually escaped; + otherwise it is regarded as starting an entity reference. Also " won't be + escaped. + @@ -89,6 +95,29 @@ echo $dom->saveXML(); This is the root element! +]]> + + + + + + Passing text containing an unescaped & as <parameter>value</parameter> + +createElement('foo', 'me & you'); +$dom->appendChild($element); +echo $dom->saveXML(); +?> +]]> + + &example.outputs.similar; + + + ]]>