From 530b6f638160c4c86fa04b66299e12caa3b894ea Mon Sep 17 00:00:00 2001
From: Markus Klein <markus.klein@typo3.org>
Date: Sat, 16 Jan 2016 00:04:22 +0100
Subject: [PATCH] [BUGFIX] Apply hsc() to exception debug output

Resolves: #72755
Releases: master, 7.6, 6.2
Change-Id: If62a72ccc0f8daa47b5cd67b1e2f3fb30f2bf1dc
Reviewed-on: https://review.typo3.org/45980
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Martin Kutschker <martin.kutschker@ymail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
---
 typo3/sysext/core/Classes/Error/DebugExceptionHandler.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
index b7acf7298182..d8c028e9166b 100644
--- a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
@@ -142,13 +142,13 @@ Uncaught TYPO3 Exception ' . $exceptionCodeNumber . $exception->getMessage() . L
         $backtraceCode = '';
         if (!empty($trace)) {
             foreach ($trace as $index => $step) {
-                $class = isset($step['class']) ? $step['class'] . '<span style="color:white;">::</span>' : '';
+                $class = isset($step['class']) ? htmlspecialchars($step['class']) . '<span style="color:white;">::</span>' : '';
                 $arguments = '';
                 if (isset($step['args']) && is_array($step['args'])) {
                     foreach ($step['args'] as $argument) {
                         $arguments .= (string)$arguments === '' ? '' : '<span style="color:white;">,</span> ';
                         if (is_object($argument)) {
-                            $arguments .= '<span style="color:#FF8700;"><em>' . get_class($argument) . '</em></span>';
+                            $arguments .= '<span style="color:#FF8700;"><em>' . htmlspecialchars(get_class($argument)) . '</em></span>';
                         } elseif (is_string($argument)) {
                             $preparedArgument = strlen($argument) < 100
                                 ? $argument
@@ -201,13 +201,13 @@ Uncaught TYPO3 Exception ' . $exceptionCodeNumber . $exception->getMessage() . L
                 $phpFileCount = count($phpFile);
                 $endLine = $lineNumber < $phpFileCount - 2 ? $lineNumber + 3 : $phpFileCount + 1;
                 if ($endLine > $startLine) {
-                    $codeSnippet = '<br /><span style="font-size:10px;">' . $filePathAndName . ':</span><br /><pre>';
+                    $codeSnippet = '<br /><span style="font-size:10px;">' . htmlspecialchars($filePathAndName) . ':</span><br /><pre>';
                     for ($line = $startLine; $line < $endLine; $line++) {
                         $codeLine = str_replace(TAB, ' ', $phpFile[$line - 1]);
                         if ($line === $lineNumber) {
                             $codeSnippet .= '</pre><pre style="background-color: #F1F1F1; color: black;">';
                         }
-                        $codeSnippet .= sprintf('%05d', $line) . ': ' . $codeLine;
+                        $codeSnippet .= sprintf('%05d', $line) . ': ' . htmlspecialchars($codeLine);
                         if ($line === $lineNumber) {
                             $codeSnippet .= '</pre><pre>';
                         }
-- 
GitLab