From edfda47cf4692a60fcfed910c6f10f2ac5e1cf05 Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Sat, 10 Dec 2016 08:47:13 -0500
Subject: [PATCH] Fix missing HTML encoding in Debugger

Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.

Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
---
 lib/Cake/Test/Case/Utility/DebuggerTest.php | 18 ++++++++++++++++++
 lib/Cake/Utility/Debugger.php               |  1 +
 2 files changed, 19 insertions(+)

diff --git a/lib/Cake/Test/Case/Utility/DebuggerTest.php b/lib/Cake/Test/Case/Utility/DebuggerTest.php
index 4179a7636..3528ce5f7 100644
--- a/lib/Cake/Test/Case/Utility/DebuggerTest.php
+++ b/lib/Cake/Test/Case/Utility/DebuggerTest.php
@@ -155,6 +155,24 @@ class DebuggerTest extends CakeTestCase {
 		$this->assertContains('$wrong = &#039;&#039;', $result[3], 'Context should be HTML escaped.');
 	}
 
+/**
+ * test encodes error messages
+ *
+ * @return void
+ */
+	public function testOutputEncodeDescription() {
+		set_error_handler('Debugger::showError');
+		$this->_restoreError = true;
+
+		ob_start();
+		$a = 'things';
+		$b = $a['<script>alert(1)</script>'];
+		$result = ob_get_clean();
+
+		$this->assertNotContains('<script>alert(1)', $result);
+		$this->assertContains('&lt;script&gt;alert(1)', $result);
+	}
+
 /**
  * Tests that changes in output formats using Debugger::output() change the templates used.
  *
diff --git a/lib/Cake/Utility/Debugger.php b/lib/Cake/Utility/Debugger.php
index 50587f6e8..1606b0d80 100644
--- a/lib/Cake/Utility/Debugger.php
+++ b/lib/Cake/Utility/Debugger.php
@@ -774,6 +774,7 @@ class Debugger {
 
 		if (!empty($tpl['escapeContext'])) {
 			$context = h($context);
+			$data['description'] = h($data['description']);
 		}
 
 		$infoData = compact('code', 'context', 'trace');