Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Version: v2.7.5 - master
In CLI mode is BlueScreen renders output of phpinfo() corrupted (section Environment » Configuration options » Configuration).
\Tracy\BlueScreen expects the phpinfo() function returns HTML formatted output, but in CLI mode is output ASCII formatted plaintext.
Because ASCII format is based oh white-spaces, in HTML is these output broken and shloud be wrapped with <pre></pre> tags.
Here is one Security aspect too: \Tracy\BlueScreen expect the values in phpinfo() escpaped for HTML context, but plaintext variant is raw. That's make real XSS vulnerability.
Lines 268 to 273
composer require tracy/tracy
require __DIR__ . '/vendor/autoload.php';
throw new \Exception;
Call PHP file via CLI:
In directory is creted BlueScreen dump, look to section Environment » Configuration options » Configuration, here is corrupted output of phpinfo().
Render output asi preformatted text, sanitized to prevent XSS.
I will maybe later prepare PR.
The text was updated successfully, but these errors were encountered:
BlueScreen: phpinfo() returns text in CLI [Closes #444]
Sorry, something went wrong.
No branches or pull requests