sesser Sat Mar 8 10:20:12 2003 EDT Modified files: /php4/main main.c Log: fix possible XSS in error messages Index: php4/main/main.c diff -u php4/main/main.c:1.536 php4/main/main.c:1.537 --- php4/main/main.c:1.536 Fri Mar 7 00:15:26 2003 +++ php4/main/main.c Sat Mar 8 10:20:12 2003 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: main.c,v 1.536 2003/03/07 05:15:26 sniper Exp $ */ +/* $Id: main.c,v 1.537 2003/03/08 15:20:12 sesser Exp $ */ /* {{{ includes */ @@ -439,6 +439,14 @@ buffer_len = vspprintf(&buffer, 0, format, args); if (buffer) { + if (PG(html_errors)) { + int len; + char *replace = php_escape_html_entities(buffer, buffer_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC); + efree(buffer); + buffer = replace; + buffer_len = len; + } + if (docref && docref[0] == '#') { docref_target = strchr(docref, '#'); docref = NULL; @@ -571,6 +579,14 @@ TSRMLS_FETCH(); buffer_len = vspprintf(&buffer, PG(log_errors_max_len), format, args); + if (PG(html_errors)) { + int len; + char *replace = php_escape_html_entities(buffer, buffer_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC); + efree(buffer); + buffer = replace; + buffer_len = len; + } + if (PG(ignore_repeated_errors)) { if (strncmp(last_error.buf, buffer, sizeof(last_error.buf)) || (!PG(ignore_repeated_source)
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php