bug #23684 [Debug] Missing escape in debug output (c960657)

This PR was merged into the 2.7 branch. Discussion ---------- [Debug] Missing escape in debug output | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | When pretty-printing an exception, the debug handler does not properly escape array keys. The problem only occurs when debug output is enabled, so this is not considered a [security issue](http://symfony.com/doc/current/contributing/code/security.html) (according to @fabpot), because the debug tools [should not be used in production](https://symfony.com/doc/current/components/debug.html#usage). A test for this is included in my patch for #18722. Commits ------- 636777d [Debug] HTML-escape array key
symfony · Jul 26, 2017 · 0946243 · 0946243
2 parents 2662c21 + e1ce6a4
commit 0946243
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ExceptionHandler.php b/ExceptionHandler.php
@@ -419,7 +419,7 @@ private function formatArgs(array $args)
                 $formattedValue = str_replace("\n", '', var_export($this->escapeHtml((string) $item[1]), true));
             }
 
-            $result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $key, $formattedValue);
+            $result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $this->escapeHtml($key), $formattedValue);
         }
 
         return implode(', ', $result);