From 6eb1be09caac8ecee07db3af05fb1fe8a54ed4ba Mon Sep 17 00:00:00 2001 From: Mark Story Date: Sat, 10 Dec 2016 09:00:09 -0500 Subject: [PATCH] Fix missing HTML encoding in Debugger Fix missing HTML encoding when error messages contain HTML. This can happen when user data is used as an offset in an array in an unchecked way. Thanks to Teppei Fukuda for reporting this issue via the responsible security disclosure process. --- src/Error/Debugger.php | 1 + tests/TestCase/Error/DebuggerTest.php | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/src/Error/Debugger.php b/src/Error/Debugger.php index 9a33e576d80..8d8d5bd0c73 100644 --- a/src/Error/Debugger.php +++ b/src/Error/Debugger.php @@ -733,6 +733,7 @@ public function outputError($data) if (!empty($tpl['escapeContext'])) { $context = h($context); + $data['description'] = h($data['description']); } $infoData = compact('code', 'context', 'trace'); diff --git a/tests/TestCase/Error/DebuggerTest.php b/tests/TestCase/Error/DebuggerTest.php index a5cebb26859..50372abd2b4 100644 --- a/tests/TestCase/Error/DebuggerTest.php +++ b/tests/TestCase/Error/DebuggerTest.php @@ -148,6 +148,30 @@ public function testOutputAsException() Debugger::outputAs('Invalid junk'); } + /** + * Test outputError with description encoding + * + * @return void + */ + public function testOutputErrorDescriptionEncoding() + { + Debugger::outputAs('html'); + + ob_start(); + $debugger = Debugger::getInstance(); + $debugger->outputError([ + 'error' => 'Notice', + 'code' => E_NOTICE, + 'level' => E_NOTICE, + 'description' => 'Undefined index ', + 'file' => __FILE__, + 'line' => __LINE__, + ]); + $result = ob_get_clean(); + $this->assertContains('<script>', $result); + $this->assertNotContains('