From feeb4e5ab13081a76fee5da0727be23d32009374 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Gro=C3=9Fberndt?= <stephan@grossberndt.de>
Date: Sat, 16 Dec 2017 13:56:52 +0100
Subject: [PATCH] [BUGFIX] Add missing htmlspecialchars() and cleanup in
 DebuggerUtility

Add missing htmlspecialchars() calls in
EXT:extbase/Classes/Utility/DebuggerUtility.php and cleanup indents in
collections.

Resolves: #83356
Releases: master
Change-Id: I03eae07be66bbfb9b5b605359666857e56beba83
Reviewed-on: https://review.typo3.org/55115
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
 typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php b/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php
index 71ed74d7c66e..2e2af045d5ec 100644
--- a/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php
+++ b/typo3/sysext/extbase/Classes/Utility/DebuggerUtility.php
@@ -261,7 +261,7 @@ class DebuggerUtility
         if ($plainText) {
             $dump .= self::ansiEscapeWrap($className, '36', $ansiColors);
         } else {
-            $dump .= '<span class="extbase-debug-type">' . $className . '</span>';
+            $dump .= '<span class="extbase-debug-type">' . htmlspecialchars($className) . '</span>';
         }
         if (! $object instanceof \Closure) {
             if ($object instanceof \TYPO3\CMS\Core\SingletonInterface) {
@@ -464,7 +464,12 @@ class DebuggerUtility
     {
         $dump = '';
         foreach ($collection as $key => $value) {
-            $dump .= PHP_EOL . str_repeat(self::PLAINTEXT_INDENT, $level) . ($plainText ? '' : '<span class="extbase-debug-property">') . self::ansiEscapeWrap($key, '37', $ansiColors) . ($plainText ? '' : '</span>') . ' => ';
+            if ($plainText) {
+                $dump .= PHP_EOL . str_repeat(self::PLAINTEXT_INDENT, $level) . self::ansiEscapeWrap($key, '37', $ansiColors);
+            } else {
+                $dump .= '<span class="extbase-debug-property">' . htmlspecialchars($key) . '</span>';
+            }
+            $dump .= ' => ';
             $dump .= self::renderDump($value, $level, $plainText, $ansiColors);
         }
         if ($collection instanceof \Iterator) {
-- 
GitLab