[Debug] Display more details in the simple error page of Debug

symfony · nicolas-grekas · Feb 7, 2019 · Jan 29, 2019 · Feb 7, 2019 · 75ff151580fc41b96581bfa1740f9b65a4787323
commit 75ff151580fc41b96581bfa1740f9b65a4787323
diff --git a/src/Symfony/Component/Debug/ExceptionHandler.php b/src/Symfony/Component/Debug/ExceptionHandler.php
@@ -207,7 +207,7 @@ public function getContent(FlattenException $exception)
                 $title = 'Sorry, the page you are looking for could not be found.';
                 break;
             default:
-                $title = 'Whoops, looks like something went wrong.';
+                $title = $this->debug ? $this->escapeHtml($exception->getMessage()) : 'Whoops, looks like something went wrong.';
         }
 
         if (!$this->debug) {

diff --git a/src/Symfony/Component/Debug/Tests/ExceptionHandlerTest.php b/src/Symfony/Component/Debug/Tests/ExceptionHandlerTest.php
@@ -48,8 +48,17 @@ public function testDebug()
         $handler->sendPhpResponse(new \RuntimeException('Foo'));
         $response = ob_get_clean();
 
-        $this->assertContains('Whoops, looks like something went wrong.', $response);
+        $this->assertContains('<h1 class="break-long-words exception-message">Foo</h1>', $response);
         $this->assertContains('<div class="trace trace-as-html">', $response);
+
+        // taken from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
+        $htmlWithXss = '<body onload=alert(\'test1\')> <b onmouseover=alert(\'Wufff!\')>click me!</b> <img src="j&#X41vascript:alert(\'test2\')"> <meta http-equiv="refresh"
+content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg">';
+        ob_start();
+        $handler->sendPhpResponse(new \RuntimeException($htmlWithXss));
+        $response = ob_get_clean();
+
+        $this->assertContains(sprintf('<h1 class="break-long-words exception-message">%s</h1>', htmlspecialchars($htmlWithXss, ENT_COMPAT | ENT_SUBSTITUTE, 'UTF-8')), $response);
     }
 
     public function testStatusCode()