8000 bug #23684 [Debug] Missing escape in debug output (c960657) · symfony/symfony@50b5696 · GitHub
[go: up one dir, main page]
Skip to content

Commit 50b5696

Browse files
nicolas-grekasnicolas-grekas
committed
bug #23684 [Debug] Missing escape in debug output (c960657)
This PR was merged into the 2.7 branch. Discussion ---------- [Debug] Missing escape in debug output | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | When pretty-printing an exception, the debug handler does not properly escape array keys. The problem only occurs when debug output is enabled, so this is not considered a [security issue](http://symfony.com/doc/current/contributing/code/security.html) (according to @fabpot), because the debug tools [should not be used in production](https://symfony.com/doc/current/components/debug.html#usage). A test for this is included in my patch for #18722. Commits ------- 636777d [Debug] HTML-escape array key
2 parents a90250d + 636777d commit 50b5696

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

src/Symfony/Component/Debug/ExceptionHandler.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -419,7 +419,7 @@ private function formatArgs(array $args)
419419
$formattedValue = str_replace("\n", '', var_export($this->escapeHtml((string) $item[1]), true));
420420
}
421421

422-
$result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $key, $formattedValue);
422+
$result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $this->escapeHtml($key), $formattedValue);
423423
}
424424

425425
return implode(', ', $result);

0 commit comments

Comments
 (0)
0