Skip to content

Commit 21ca267

Browse files
committed
Escape error messages in debug mode
While one could argue that turning on debug mode is itself something you shouldn't do in production at least for some providers this seems to be the case. Since the error messages can contain user-influenced input this can lead to XSS in the worst scenario. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
1 parent 80a6f46 commit 21ca267

4 files changed

Lines changed: 4 additions & 4 deletions

File tree

lib/Saml2/LogoutRequest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -380,7 +380,7 @@ public function isValid($retrieveParametersFromServer = false)
380380
$this->_error = $e->getMessage();
381381
$debug = $this->_settings->isDebugActive();
382382
if ($debug) {
383-
echo $this->_error;
383+
echo htmlentities($this->_error);
384384
}
385385
return false;
386386
}

lib/Saml2/LogoutResponse.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,7 +188,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
188188
$this->_error = $e->getMessage();
189189
$debug = $this->_settings->isDebugActive();
190190
if ($debug) {
191-
echo $this->_error;
191+
echo htmlentities($this->_error);
192192
}
193193
return false;
194194
}

lib/Saml2/Response.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -402,7 +402,7 @@ public function isValid($requestId = null)
402402
$this->_error = $e->getMessage();
403403
$debug = $this->_settings->isDebugActive();
404404
if ($debug) {
405-
echo $this->_error;
405+
echo htmlentities($this->_error);
406406
}
407407
return false;
408408
}

lib/Saml2/Utils.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ public static function validateXML($xml, $schema, $debug = false)
134134

135135
if ($debug) {
136136
foreach ($xmlErrors as $error) {
137-
echo $error->message."\n";
137+
echo htmlentities($error->message."\n");
138138
}
139139
}
140140

0 commit comments

Comments
 (0)