feature #30024 [Debug] Display more details in the simple error page of Debug (javiereguiluz)

nicolas-grekas · nicolas-grekas · commit a6a1be803d7e · 2019-02-07T10:41:46.000+01:00
This PR was squashed before being merged into the 4.3-dev branch (closes #30024). Discussion ---------- [Debug] Display more details in the simple error page of Debug | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #29891 | License | MIT | Doc PR | - Note: this only changes the simple error page of Debug component, which is different from the full-featured error page of WebProfilerBundle. ----- #29891 shows a confusing error page. In #29928 we improved the first error message displayed to the user. In this PR we implement @nicolas-grekas' idea to replace the generic error page title by a better error message. So, this PR + #29928 would fix #29891 to me. ### Before ![error-before](https://user-images.githubusercontent.com/73419/51920135-1519b500-23e5-11e9-99d6-e9b631b97499.png) ### After ![error-after](https://user-images.githubusercontent.com/73419/51920141-1945d280-23e5-11e9-97c3-49b2170dbd15.png) Commits ------- 75ff151 [Debug] Display more details in the simple error page of Debug
diff --git a/src/Symfony/Component/Debug/ExceptionHandler.php b/src/Symfony/Component/Debug/ExceptionHandler.php
@@ -207,7 +207,7 @@ public function getContent(FlattenException $exception)
                 $title = 'Sorry, the page you are looking for could not be found.';
                 break;
             default:
-                $title = 'Whoops, looks like something went wrong.';
+                $title = $this->debug ? $this->escapeHtml($exception->getMessage()) : 'Whoops, looks like something went wrong.';
         }
 
         if (!$this->debug) {
diff --git a/src/Symfony/Component/Debug/Tests/ExceptionHandlerTest.php b/src/Symfony/Component/Debug/Tests/ExceptionHandlerTest.php
@@ -48,8 +48,17 @@ public function testDebug()
         $handler->sendPhpResponse(new \RuntimeException('Foo'));
         $response = ob_get_clean();
 
-        $this->assertContains('Whoops, looks like something went wrong.', $response);
+        $this->assertContains('<h1 class="break-long-words exception-message">Foo</h1>', $response);
         $this->assertContains('<div class="trace trace-as-html">', $response);
+
+        // taken from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+        $htmlWithXss = '<body onload=alert(\'test1\')> <b onmouseover=alert(\'Wufff!\')>click me!</b> <img src="j&#X41vascript:alert(\'test2\')"> <meta http-equiv="refresh"
+content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">';
+        ob_start();
+        $handler->sendPhpResponse(new \RuntimeException($htmlWithXss));
+        $response = ob_get_clean();
+
+        $this->assertContains(sprintf('<h1 class="break-long-words exception-message">%s</h1>', htmlspecialchars($htmlWithXss, ENT_COMPAT | ENT_SUBSTITUTE, 'UTF-8')), $response);
     }
 
     public function testStatusCode()

Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,7 @@ public function getContent(FlattenException $exception)`
`207`	`207`	`$title = 'Sorry, the page you are looking for could not be found.';`
`208`	`208`	`break;`
`209`	`209`	`default:`
`210`		`- $title = 'Whoops, looks like something went wrong.';`
	`210`	`+ $title = $this->debug ? $this->escapeHtml($exception->getMessage()) : 'Whoops, looks like something went wrong.';`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	`if (!$this->debug) {`