Fix missing HTML encoding in Debugger

Fix missing HTML encoding when error messages contain HTML. This can happen when user data is used as an offset in an array in an unchecked way. Thanks to Teppei Fukuda for reporting this issue via the responsible security disclosure process.
cakephp · Dec 10, 2016 · 6eb1be0 · 6eb1be0
1 parent 777797f
commit 6eb1be0
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/src/Error/Debugger.php b/src/Error/Debugger.php
@@ -733,6 +733,7 @@ public function outputError($data)
 
         if (!empty($tpl['escapeContext'])) {
             $context = h($context);
+            $data['description'] = h($data['description']);
         }
 
         $infoData = compact('code', 'context', 'trace');

diff --git a/tests/TestCase/Error/DebuggerTest.php b/tests/TestCase/Error/DebuggerTest.php
@@ -148,6 +148,30 @@ public function testOutputAsException()
         Debugger::outputAs('Invalid junk');
     }
 
+    /**
+     * Test outputError with description encoding
+     *
+     * @return void
+     */
+    public function testOutputErrorDescriptionEncoding()
+    {
+        Debugger::outputAs('html');
+
+        ob_start();
+        $debugger = Debugger::getInstance();
+        $debugger->outputError([
+            'error' => 'Notice',
+            'code' => E_NOTICE,
+            'level' => E_NOTICE,
+            'description' => 'Undefined index <script>alert(1)</script>',
+            'file' => __FILE__,
+            'line' => __LINE__,
+        ]);
+        $result = ob_get_clean();
+        $this->assertContains('&lt;script&gt;', $result);
+        $this->assertNotContains('<script>', $result);
+    }
+
     /**
      * Tests that changes in output formats using Debugger::output() change the templates used.
      *