Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP DOMDocument createElement obfuscates ampersand

Tags:

php

obfuscation

domdocument

I am using PHP DOMDocument library in order to create a 'script' tag element with a, well, a javascript value and insert it in the DOM.

This is what I do:

$scriptElement = $doc->createElement('script',$scriptTagVal);
echo $scriptElement->nodeValue;                                                                  
$someNode->parentNode->insertBefore($scriptElement,$postRttScriptNode);

This behaves the way I expect it to, it inserts an element right before 'someNode'. However, it does something strange, it obfuscates the ampersand (&). Single Ampersands (&) do not exist, and double Ampersands (&&) are bought down to single ampersands.

Crazy? Well, I tried doing this:

$scriptElement = $doc->createElement('script','return "undefined" !== typeof b **&&** null !== b ? b.getAttribute("content") : 0');

And if I echo out $scriptElement->nodeValue,

I get 

return "undefined" !== typeof b **&** null !== b ? b.getAttribute("content") : 0'

I am assuming this is virtually unheard of, but I tried creating different elements with values that contain double ampersands. Something like:

 $scriptElement = $doc->createElement('p','Why does DOMDocument obfuscate double
            ampersands(&&)');

And the result that is outputted to my browser is a

tag with the value:

Why does DOMDocument obfuscate double ampersands(

Special characters perhaps? Is there anyway I can get around this? I mean, surely there has to be a way to use DOMDocument to insert javascript in HTML, right?

like image 753
Parijat Kalia Avatar asked Jun 24 '14 00:06

Parijat Kalia

1 Answers

As noted in http://www.php.net/manual/en/domdocument.createelement.php

The value will not be escaped. Use DOMDocument::createTextNode() to create a text node with escaping support

With that you can try:

$doc = new DomDocument();
$scriptContent = 'return "undefined" !== typeof b **&&** null !== b ? b.getAttribute("content") : 0';
$scriptElement = $doc->createElement('script');
$scriptElement->appendChild($doc->createTextNode($scriptContent));
$doc->appendChild($scriptElement);
echo $doc->saveXML();

you may need to use $doc->ownerDocument->createTextNode() when building your text node, this is untested as I don't have a run-able code snippet.

like image 164
Scuzzy Avatar answered Sep 29 '22 12:09

Scuzzy
Sign in to Comment

Related questions

Wordpress, get current level of taxonomy in an archive page
PHP PDO: How long are prepared mysql queries cached?
Start a project with Codeigniter [closed]
Symfony2 Form Builder - creating an array of choices from a DB query
Can't change headers if there is an output?
malformed header from script. Bad header=1: index.php
Prevent jQuery AJAX call from waiting for previous call to complete
Integrating existing project by laravel framework?
How to run a php file by double clicking?
Save copy of a photo from Google Places API Place Photos using curl
Unable to cURL image. Not sure what to do
Why is Laravel trashed() method not found>
Wordpress posts in grid view with Bootstrap 3 columns
PHP equivalent of Java Servlet
Table well displayed in html but not in the pdf generated with mpdf
jQuery: determine the [server's] Document Root
Doctrine QueryBuilder Re-Use Parts
Verify Facebook API Access Token & UserID via PHP SDK?
Laravel Eloquent: merge model with Input
Finding next fibonacci number

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!