From 1e4aff2d9cba71e0c43a3ca2126f998c4e0522bf Mon Sep 17 00:00:00 2001 From: Casey Peel Date: Mon, 14 Oct 2024 18:24:39 -0700 Subject: [PATCH] Remove external functions from exception handlers (#1355) --- api/index.php | 6 ++++++ pinc/base.inc | 8 ++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/api/index.php b/api/index.php index 60c315717c..54c45bb3be 100644 --- a/api/index.php +++ b/api/index.php @@ -236,6 +236,12 @@ function handle_cors_headers() } } +//---------------------------------------------------------------------------- + +// Exception handlers should not rely on functions outside of the base PHP +// set or defined in this file as the handlers may be used before the functions +// are defined. + function production_exception_handler($exception) { if ($exception instanceof ApiException) { diff --git a/pinc/base.inc b/pinc/base.inc index 237236141d..ec0b71babf 100644 --- a/pinc/base.inc +++ b/pinc/base.inc @@ -79,6 +79,10 @@ if ($maintenance && !@$maintenance_override) { //---------------------------------------------------------------------------- +// Exception handlers should not rely on functions outside of the base PHP +// set or defined in this file as the handlers may be used before the functions +// are defined. + function production_exception_handler($exception) { global $maintenance; @@ -100,7 +104,7 @@ function production_exception_handler($exception) } echo "

\n"; - echo html_safe($exception->getMessage()); + echo htmlspecialchars($exception->getMessage(), ENT_QUOTES, 'UTF-8'); echo "\n

"; } @@ -110,7 +114,7 @@ function test_exception_handler($exception) // production_exception_handler() here because we don't want the special // handling on DB connection error. echo "

\n"; - echo html_safe($exception->getMessage()); + echo htmlspecialchars($exception->getMessage(), ENT_QUOTES, 'UTF-8'); echo "\n

"; // Output the stacktrace in a preformatted block