bug #23684 [Debug] Missing escape in debug output (c960657)
This PR was merged into the 2.7 branch.
Discussion
----------
[Debug] Missing escape in debug output
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
When pretty-printing an exception, the debug handler does not properly escape array keys.
The problem only occurs when debug output is enabled, so this is not considered a [security issue](http://symfony.com/doc/current/contributing/code/security.html) (according to @fabpot), because the debug tools [should not be used in production](https://symfony.com/doc/current/components/debug.html#usage).
A test for this is included in my patch for #18722.
Commits
-------
636777d
[Debug] HTML-escape array key
This commit is contained in:
commit
50b5696779
@ -419,7 +419,7 @@ EOF;
|
|||||||
$formattedValue = str_replace("\n", '', var_export($this->escapeHtml((string) $item[1]), true));
|
$formattedValue = str_replace("\n", '', var_export($this->escapeHtml((string) $item[1]), true));
|
||||||
}
|
}
|
||||||
|
|
||||||
$result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $key, $formattedValue);
|
$result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $this->escapeHtml($key), $formattedValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
return implode(', ', $result);
|
return implode(', ', $result);
|
||||||
|
Reference in New Issue
Block a user