Merge pull request #9859 from cakephp/debugger-encoding

2.x - Debugger encoding

lib/Cake/Test/Case/Utility/DebuggerTest.php

@@ -155,6 +155,24 @@ class DebuggerTest extends CakeTestCase {
 		$this->assertContains('$wrong = ''', $result[3], 'Context should be HTML escaped.');
 	}
 
+/**
+ * test encodes error messages
+ *
+ * @return void
+ */
+	public function testOutputEncodeDescription() {
+		set_error_handler('Debugger::showError');
+		$this->_restoreError = true;
+
+		ob_start();
+		$a = array();
+		$b = $a['<script>alert(1)</script>'];
+		$result = ob_get_clean();
+
+		$this->assertNotContains('<script>alert(1)', $result);
+		$this->assertContains('&lt;script&gt;alert(1)', $result);
+	}
+
 /**
  * Tests that changes in output formats using Debugger::output() change the templates used.
  *

lib/Cake/Utility/Debugger.php

@@ -774,6 +774,7 @@ class Debugger {
 
 		if (!empty($tpl['escapeContext'])) {
 			$context = h($context);
+			$data['description'] = h($data['description']);
 		}
 
 		$infoData = compact('code', 'context', 'trace');