From aa1b0709f211f1e986c911df1bda29f25b652efa Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 6 Dec 2005 03:09:24 +0000
Subject: [PATCH] Fixed possible XSS inside error reporting functionality.

---
 NEWS        |  1 +
 main/main.c | 27 +++++++++++++++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index 3df4c670ef4..26de137d4cb 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ PHP                                                                        NEWS
   . Fixed isset/empty/(bool) behavior
   . Fixed iterator edge cases
   . Added methods getNamespaces(), getDocNamespaces()
+- Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed many bugs in OCI8. (Tony)
 - Fixed crash and leak in mysqli when using 4.1.x client libraries and
   connecting to 5.x server. (Andrey)
diff --git a/main/main.c b/main/main.c
index b048ea5332e..82706abfc3e 100644
--- a/main/main.c
+++ b/main/main.c
@@ -433,6 +433,7 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
 	char *space;
 	char *class_name = get_active_class_name(&space TSRMLS_CC);
 	char *function;
+	int origin_len;
 	char *origin;
 	char *message;
 	int is_function = 0;
@@ -490,9 +491,16 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
 
 	/* if we still have memory then format the origin */
 	if (is_function) {
-		spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function, params);	
+		origin_len = spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function, params);	
 	} else {
-		spprintf(&origin, 0, "%s", function);	
+		origin_len = spprintf(&origin, 0, "%s", function);	
+	}
+
+	if (PG(html_errors)) {
+		int len;
+		char *replace = php_escape_html_entities(origin, origin_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+		efree(origin);
+		origin = replace;
 	}
 
 	/* origin and buffer available, so lets come up with the error message */
@@ -761,10 +769,17 @@ static void php_error_cb(int type, const char *error_filename, const uint error_
 			} else {
 				char *prepend_string = INI_STR("error_prepend_string");
 				char *append_string = INI_STR("error_append_string");
-				char *error_format = PG(html_errors) ?
-					"%s<br />\n<b>%s</b>:  %s in <b>%s</b> on line <b>%d</b><br />\n%s"
-					: "%s\n%s: %s in %s on line %d\n%s";    
-				php_printf(error_format, STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+
+				if (PG(html_errors)) {
+					char *buf, *buf2;
+					int len2, len = spprintf(&buf, 0, "%s<br />\n<b>%s</b>:  %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+					buf2 = php_escape_html_entities(buf, len, &len2, 0, ENT_COMPAT, NULL TSRMLS_CC);
+					php_printf("%s", buf2);
+					efree(buf);
+					efree(buf2);
+				} else {
+					php_printf("%s\n%s: %s in %s on line %d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+				}
 			}
 		}
 #if ZEND_DEBUG