How to solve php warning for mediawiki running on tomcat with quercus

Question

I set up a mediawiki (1.19.2) with quercus (4.0.25) on a Tomcat 7. The installation process went well, there were no errors or warnings, the database connection is OK and at the end of the installation process I copied the LocalSettings.php into the mediawiki base folder as required.

From that point I got the following php warning multiple times on top of every single mediawiki page:

webapps\mediawiki\includes\Message.php:388: Warning: function 'htmlspecialchars' called with 4 arguments, but only expects 3 arguments [htmlspecialchars]

Message.php:

365:/**
366: * Returns the message parsed from wikitext to HTML.
367: * @return String: HTML
368: */
369:public function toString() {
370:    $string = $this->getMessageText();
371:
372:    # Replace parameters before text parsing
373:    $string = $this->replaceParameters( $string, 'before' );
374:
375:    # Maybe transform using the full parser
376:    if( $this->format === 'parse' ) {
377:        $string = $this->parseText( $string );
378:        $m = array();
379:        if( preg_match( '/^<p>(.*)\n?<\/p>\n?$/sU', $string, $m ) ) {
380:            $string = $m[1];
381:        }
382:    } elseif( $this->format === 'block-parse' ){
383:        $string = $this->parseText( $string );
384:    } elseif( $this->format === 'text' ){
385:        $string = $this->transformText( $string );
386:    } elseif( $this->format === 'escaped' ){
387:        $string = $this->transformText( $string );
388:        $string = htmlspecialchars( $string, ENT_QUOTES, 'UTF-8', false );
389:    }
390:
391:    # Raw parameter replacement
392:    $string = $this->replaceParameters( $string, 'after' );
393:
394:    return $string;
395:}

Can anyone tell me if this is a severe warning or if there may be a version conflict (latest mediawiki not working with quercus)?

May this warning come from a wrong encoding (I chose utf-8 in setup)?

If there is no solution, is there a way to get rid of this special warning (mediawiki seems to work fine as I can see so far)?

Maybe if you showed us what the code did at line 388 we could make a more informaed guess. — symcbean, Oct 25 '12 at 08:31

score 2 · Accepted Answer · answered Oct 25 '12 at 09:03

According to the PHP manual, htmlspecialchars does take 4 parameters, 3 of which are optional.

This suggests that Quercus is an incomplete implementation of PHP.

A Warning in PHP usually indicates that it is going to keep going and do whatever it can. Presumably, in this case, it will behave as if it were set to true and hence it will double-encode any existing entities.

If the fourth parameter on line 388 (and every other place where this function is called with four parameters) is set to true, this warning can be ignored.

If it is set to false (and now that the code is in your question, I can see that it is), you will likely end up with double-encoded entities in the html of the wiki. This could cause display issues and potentially broken links.

A more pressing question in my mind is how incomplete is Quercus? How many other functions don't work the same way as vanilla PHP?

If this is public-facing, there could be security issues with incomplete functions (the equivalent problem in htmlspecialchars_decode() could allow XSS, for example.)

As for how to solve the warning, the correct way would be to raise a bug report with Caucho and update once they have fixed it.

How to solve php warning for mediawiki running on tomcat with quercus

1 Answers1