[BUGFIX] Apply hsc() to exception debug output 91/45991/2
authorMarkus Klein <markus.klein@typo3.org>
Sat, 16 Jan 2016 09:31:11 +0000 (10:31 +0100)
committerAnja Leichsenring <aleichsenring@ab-softlab.de>
Sat, 16 Jan 2016 09:32:30 +0000 (10:32 +0100)
Resolves: #72755
Releases: master, 7.6, 6.2
Change-Id: If62a72ccc0f8daa47b5cd67b1e2f3fb30f2bf1dc
Reviewed-on: https://review.typo3.org/45991
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
typo3/sysext/core/Classes/Error/DebugExceptionHandler.php

index 5ce9058..f4296cd 100644 (file)
@@ -142,13 +142,13 @@ Uncaught TYPO3 Exception ' . $exceptionCodeNumber . $exception->getMessage() . L
                $backtraceCode = '';
                if (count($trace)) {
                        foreach ($trace as $index => $step) {
-                               $class = isset($step['class']) ? $step['class'] . '<span style="color:white;">::</span>' : '';
+                               $class = isset($step['class']) ? htmlspecialchars($step['class']) . '<span style="color:white;">::</span>' : '';
                                $arguments = '';
                                if (isset($step['args']) && is_array($step['args'])) {
                                        foreach ($step['args'] as $argument) {
                                                $arguments .= strlen($arguments) === 0 ? '' : '<span style="color:white;">,</span> ';
                                                if (is_object($argument)) {
-                                                       $arguments .= '<span style="color:#FF8700;"><em>' . get_class($argument) . '</em></span>';
+                                                       $arguments .= '<span style="color:#FF8700;"><em>' . htmlspecialchars(get_class($argument)) . '</em></span>';
                                                } elseif (is_string($argument)) {
                                                        $preparedArgument = strlen($argument) < 100
                                                                ? $argument
@@ -200,13 +200,13 @@ Uncaught TYPO3 Exception ' . $exceptionCodeNumber . $exception->getMessage() . L
                                $startLine = $lineNumber > 2 ? $lineNumber - 2 : 1;
                                $endLine = $lineNumber < count($phpFile) - 2 ? $lineNumber + 3 : count($phpFile) + 1;
                                if ($endLine > $startLine) {
-                                       $codeSnippet = '<br /><span style="font-size:10px;">' . $filePathAndName . ':</span><br /><pre>';
+                                       $codeSnippet = '<br /><span style="font-size:10px;">' . htmlspecialchars($filePathAndName) . ':</span><br /><pre>';
                                        for ($line = $startLine; $line < $endLine; $line++) {
                                                $codeLine = str_replace(TAB, ' ', $phpFile[$line - 1]);
                                                if ($line === $lineNumber) {
                                                        $codeSnippet .= '</pre><pre style="background-color: #F1F1F1; color: black;">';
                                                }
-                                               $codeSnippet .= sprintf('%05d', $line) . ': ' . $codeLine;
+                                               $codeSnippet .= sprintf('%05d', $line) . ': ' . htmlspecialchars($codeLine);
                                                if ($line === $lineNumber) {
                                                        $codeSnippet .= '</pre><pre>';
                                                }
@@ -218,4 +218,4 @@ Uncaught TYPO3 Exception ' . $exceptionCodeNumber . $exception->getMessage() . L
                return $codeSnippet;
        }
 
-}
+}
\ No newline at end of file