#1344: AgaviException::buildParamList has escaping issues
-----------------------+----------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: normal | Milestone: 1.0.5
Component: exception | Version: 1.0.4
Severity: normal | Keywords:
Has_patch: 0 |
-----------------------+----------------------------------------------------
Introduced in [4595], since the {{{var_export()}}} call doesn't use
{{{true}}} as the second arg.
Besides that, the regex above it also needs the {{{s}}} modifier since
otherwise, the {{{.}}} class used doesn't match on newlines (right now
with the missing {{{true}}} for {{{var_export()}}},
{{{htmlspecialchars()}}} isn't applied, and the function spits out e.g.
the literal content of config files to write on a permissions exception
for cache files, which then isn't visible in the browser as it starts with
{{{<?php}}}).
Also, array keys should be restricted in length, and the recursive call
for sub-elements needs to pass on the {{{$html}}} argument. I do however
think that the depth of arrays should be limited in general so it only
outputs one level of the array.
--
Ticket URL: <http://trac.agavi.org/ticket/1344>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
