Merge pull request from GHSA-qg5r-95m4-mjgj

* Hotfix: Reflected XSS in Debug mode * Added entry for the security issue GHSA-qg5r-95m4-mjgj to the CHANGELOG * Update CHANGELOG.md * Update CHANGELOG.md --------- Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
yiisoft · May 30, 2024 · ec52aab · ec52aab
1 parent afca29c
commit ec52aab
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ Yii Framework 2 Change Log
 - New #20137: Added `yii\caching\CallbackDependency` to allow using a callback to determine if a cache dependency is still valid (laxity7)
 - Enh #20134: Raise minimum `PHP` version to `7.3` (@terabytesoftw)
 - Bug #20141: Update `ezyang/htmlpurifier` dependency to version `4.17` (@terabytesoftw)
+- CVE-2024-32877: Fixed Reflected XSS in Debug mode (Antiphishing)
 - CVE-2024-4990: Fix Unsafe Reflection in base Component class (@mtangoo)
 - Bug #19817: Add MySQL Query `addCheck()` and `dropCheck()` (@bobonov)
 - Bug #20165: Adjust pretty name of closures for PHP 8.4 compatibility (@staabm)

diff --git a/web/ErrorHandler.php b/web/ErrorHandler.php
@@ -181,7 +181,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+        return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**