You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In CLI mode is BlueScreen renders output of phpinfo() corrupted (section Environment » Configuration options » Configuration).
\Tracy\BlueScreen expects the phpinfo() function returns HTML formatted output, but in CLI mode is output ASCII formatted plaintext.
Because ASCII format is based oh white-spaces, in HTML is these output broken and shloud be wrapped with <pre></pre> tags.
Here is one Security aspect too: \Tracy\BlueScreen expect the values in phpinfo() escpaped for HTML context, but plaintext variant is raw. That's make real XSS vulnerability.
Version: v2.7.5 - master
Bug Description
In CLI mode is BlueScreen renders output of
phpinfo()
corrupted (sectionEnvironment
»Configuration options
»Configuration
).\Tracy\BlueScreen
expects thephpinfo()
function returns HTML formatted output, but in CLI mode is output ASCII formatted plaintext.Because ASCII format is based oh white-spaces, in HTML is these output broken and shloud be wrapped with
<pre></pre>
tags.Here is one Security aspect too:
\Tracy\BlueScreen
expect the values inphpinfo()
escpaped for HTML context, but plaintext variant is raw. That's make real XSS vulnerability.Related code:
tracy/src/Tracy/BlueScreen/assets/content.phtml
Lines 268 to 273 in d85f267
Steps To Reproduce
Create
cli.php
:Call PHP file via CLI:
In directory is creted BlueScreen dump, look to section

Environment
»Configuration options
»Configuration
, here is corrupted output ofphpinfo()
.Expected Behavior
Render output asi preformatted text, sanitized to prevent XSS.
I will maybe later prepare PR.
The text was updated successfully, but these errors were encountered: