k-holy · February 28, 2012 09:30
diff --git a/output_add_rewrite_var.php b/output_add_rewrite_var.php
 <?php
 assert_options(ASSERT_ACTIVE, 1);
 assert_options(ASSERT_WARNING, 0);
 assert_options(ASSERT_CALLBACK, function ($file, $line) {
    echo '<pre>' . htmlspecialchars(sprintf("Assertion Failed: at %s[%d]\n", $file, $line)) . '</pre>';
 });

 //$name = '" /><script>alert("Hello!");</script><input type="hidden" name="'; // urlencode()もHTMLエスケープもされない
 $name = 'token';
 $value = '"<Baz & Qux>"'; // urlencode()され、HTMLエスケープされない

 ini_set('url_rewriter.tags', 'form=');
 output_add_rewrite_var($name, $value);

 if (isset($_POST['submit']) && isset($_POST[$name])) {
    assert(strcmp($_POST[$name], rawurlencode($value)) === 0); // failed.
    assert(strcmp($_POST[$name], $value) === 0); // failed.
    assert(strcmp($_POST[$name], urlencode($value)) === 0); // OK
 }

 ?>
 <!DOCTYPE html>
 <html>
 <head>
 <meta charset="utf-8" />
 </head>
 <body>

 <form method="post">
 <input type="submit" name="submit" value="submit" />
 </form>

 </body>
 </html>
	<?php
	assert_options(ASSERT_ACTIVE, 1);
	assert_options(ASSERT_WARNING, 0);
	assert_options(ASSERT_CALLBACK, function ($file, $line) {
	echo '<pre>' . htmlspecialchars(sprintf("Assertion Failed: at %s[%d]\n", $file, $line)) . '</pre>';
	});

	//$name = '" /><script>alert("Hello!");</script><input type="hidden" name="'; // urlencode()もHTMLエスケープもされない
	$name = 'token';
	$value = '"<Baz & Qux>"'; // urlencode()され、HTMLエスケープされない

	ini_set('url_rewriter.tags', 'form=');
	output_add_rewrite_var($name, $value);

	if (isset($_POST['submit']) && isset($_POST[$name])) {
	assert(strcmp($_POST[$name], rawurlencode($value)) === 0); // failed.
	assert(strcmp($_POST[$name], $value) === 0); // failed.
	assert(strcmp($_POST[$name], urlencode($value)) === 0); // OK
	}

	?>
	<!DOCTYPE html>
	<html>
	<head>
	<meta charset="utf-8" />
	</head>
	<body>

	<form method="post">
	<input type="submit" name="submit" value="submit" />
	</form>

	</body>
	</html>