From e9bb160bcc0ea1d875f9a179ad714df35361176c Mon Sep 17 00:00:00 2001 From: Alexander Menk Date: Tue, 19 May 2015 17:04:47 +0200 Subject: [PATCH 1/2] ExceptionHandler: More Encoding --- src/Symfony/Component/Debug/ExceptionHandler.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/Debug/ExceptionHandler.php b/src/Symfony/Component/Debug/ExceptionHandler.php index fcb4e56c58..acfc63c227 100644 --- a/src/Symfony/Component/Debug/ExceptionHandler.php +++ b/src/Symfony/Component/Debug/ExceptionHandler.php @@ -382,10 +382,10 @@ EOF; if ($linkFormat = $this->fileLinkFormat) { $link = str_replace(array('%f', '%l'), array($path, $line), $linkFormat); - return sprintf(' in %s line %d', $link, $file, $line); + return sprintf(' in %s line %d', htmlspecialchars($link), htmlspecialchars($file), $line); } - return sprintf(' in %s line %d', $path, $file, $line); + return sprintf(' in %s line %d', htmlspecialchars($path), htmlspecialchars($file), $line); } /** From eecd197e6ac1346d4f31404e709f3a6814ad2967 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Tue, 19 May 2015 17:38:50 -0700 Subject: [PATCH 2/2] [2.6] Fix HTML escaping of to-source links --- src/Symfony/Component/Debug/ExceptionHandler.php | 10 +++++----- .../HttpKernel/DataCollector/DumpDataCollector.php | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/Symfony/Component/Debug/ExceptionHandler.php b/src/Symfony/Component/Debug/ExceptionHandler.php index acfc63c227..8fb345da70 100644 --- a/src/Symfony/Component/Debug/ExceptionHandler.php +++ b/src/Symfony/Component/Debug/ExceptionHandler.php @@ -380,12 +380,12 @@ EOF; $file = preg_match('#[^/\\\\]*$#', $path, $file) ? $file[0] : $path; if ($linkFormat = $this->fileLinkFormat) { - $link = str_replace(array('%f', '%l'), array($path, $line), $linkFormat); + $link = strtr($this->escapeHtml($linkFormat), array('%f' => $path, , '%l' => (int) $line)); - return sprintf(' in %s line %d', htmlspecialchars($link), htmlspecialchars($file), $line); + return sprintf(' in %s line %d', $link, $file, $line); } - return sprintf(' in %s line %d', htmlspecialchars($path), htmlspecialchars($file), $line); + return sprintf(' in %s line %d', $path, $file, $line); } /** @@ -422,7 +422,7 @@ EOF; } /** - * Returns an UTF-8 and HTML encoded string + * Returns an UTF-8 and HTML encoded string. */ protected static function utf8Htmlize($str) { @@ -441,7 +441,7 @@ EOF; } /** - * HTML-encodes a string + * HTML-encodes a string. */ private function escapeHtml($str) { diff --git a/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php b/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php index 32b99e562c..c2e89a1c32 100644 --- a/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php +++ b/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php @@ -100,9 +100,9 @@ class DumpDataCollector extends DataCollector implements DataDumperInterface $name = $info->getTemplateName(); $src = $info->getEnvironment()->getLoader()->getSource($name); $info = $info->getDebugInfo(); - if (isset($info[$trace[$i-1]['line']])) { + if (isset($info[$trace[$i - 1]['line']])) { $file = false; - $line = $info[$trace[$i-1]['line']]; + $line = $info[$trace[$i - 1]['line']]; $src = explode("\n", $src); $fileExcerpt = array(); @@ -259,7 +259,7 @@ class DumpDataCollector extends DataCollector implements DataDumperInterface $name = strip_tags($this->style('', $name)); $file = strip_tags($this->style('', $file)); if ($fileLinkFormat) { - $link = strtr($fileLinkFormat, array('%f' => $file, '%l' => (int) $line)); + $link = strtr(strip_tags($this->style('', $fileLinkFormat)), array('%f' => $file, '%l' => (int) $line)); $name = sprintf(''.$s.'', $link, $file, $name); } else { $name = sprintf(''.$s.'', $file, $name);