Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
3.3.7
-
None
-
None
-
None
Description
request->variable, in the file phpbb/request/request.php:
/**
* Central type safe input handling function.
* All variables in GET or POST requests should be retrieved through this function to maximise security.
* ...
* @param bool $multibyte If $default is a string this parameter has to be true if the variable may contain any UTF-8 characters
* Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
* ...
*/
public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST)
Is there any reason not to default the optional 3rd `multibyte` parameter to `true`? When would silently replacing all non-ASCII bytes with question marks ever be desirable behavior? O_o