3v4l.org

run code in 300+ PHP versions simultaneously
<?php $string = '<img src="{{ a }}" />'; $payload = '" onload="alert(\'XSS!\');"'; var_dump( str_replace( '{{ a }}', htmlentities($payload, ENT_QUOTES | ENT_HTML5, 'UTF-8'), $string ) ); var_dump( str_replace( '{{ a }}', "/somefile.php?".http_build_query(array('url' => $payload)), $string ) ); var_dump( str_replace( '{{ a }}', urlencode($payload), $string ) );
Output for 5.4.0 - 5.4.45, 5.5.0 - 5.5.38, 5.6.0 - 5.6.40, 7.0.0 - 7.0.33, 7.1.0 - 7.1.33, 7.2.0 - 7.2.34, 7.3.0 - 7.3.33, 7.4.0 - 7.4.33, 8.0.0 - 8.0.30, 8.1.0 - 8.1.33, 8.2.0 - 8.2.29, 8.3.0 - 8.3.27, 8.4.1 - 8.4.15, 8.5.0
string(91) "<img src="&quot; onload&equals;&quot;alert&lpar;&apos;XSS&excl;&apos;&rpar;&semi;&quot;" />" string(77) "<img src="/somefile.php?url=%22+onload%3D%22alert%28%27XSS%21%27%29%3B%22" />" string(59) "<img src="%22+onload%3D%22alert%28%27XSS%21%27%29%3B%22" />"
Output for 8.3.28
/bin/php-8.3.28: /usr/lib/libm.so.6: version `GLIBC_2.38' not found (required by /bin/php-8.3.28) /bin/php-8.3.28: /usr/lib/libm.so.6: version `GLIBC_2.35' not found (required by /bin/php-8.3.28) /bin/php-8.3.28: /usr/lib/libc.so.6: version `GLIBC_2.34' not found (required by /bin/php-8.3.28) /bin/php-8.3.28: /usr/lib/libc.so.6: version `GLIBC_2.38' not found (required by /bin/php-8.3.28)
Process exited with code 1.
preferences:
160.34 ms | 407 KiB | 5 Q