Skip to content
Permalink
Browse files

Fix missing HTML encoding in Debugger

Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.

Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
  • Loading branch information...
markstory committed Dec 10, 2016
1 parent 777797f commit 6eb1be09caac8ecee07db3af05fb1fe8a54ed4ba
Showing with 25 additions and 0 deletions.
  1. +1 −0 src/Error/Debugger.php
  2. +24 −0 tests/TestCase/Error/DebuggerTest.php
@@ -733,6 +733,7 @@ public function outputError($data)
if (!empty($tpl['escapeContext'])) {
$context = h($context);
$data['description'] = h($data['description']);
}
$infoData = compact('code', 'context', 'trace');
@@ -148,6 +148,30 @@ public function testOutputAsException()
Debugger::outputAs('Invalid junk');
}
/**
* Test outputError with description encoding
*
* @return void
*/
public function testOutputErrorDescriptionEncoding()
{
Debugger::outputAs('html');
ob_start();
$debugger = Debugger::getInstance();
$debugger->outputError([
'error' => 'Notice',
'code' => E_NOTICE,
'level' => E_NOTICE,
'description' => 'Undefined index <script>alert(1)</script>',
'file' => __FILE__,
'line' => __LINE__,
]);
$result = ob_get_clean();
$this->assertContains('&lt;script&gt;', $result);
$this->assertNotContains('<script>', $result);
}
/**
* Tests that changes in output formats using Debugger::output() change the templates used.
*

0 comments on commit 6eb1be0

Please sign in to comment.
You can’t perform that action at this time.