From: Sarah Hoffmann <lonvia@denofr.de>
Date: Mon, 20 Feb 2023 14:41:04 +0000 (+0100)
Subject: properly encode special HTML characters in debug mode
X-Git-Tag: v3.7.3~4
X-Git-Url: https://git.openstreetmap.org/nominatim.git/commitdiff_plain/51c3a00d70fd55fcd24bb0ca97c06c74d5a1bb57

properly encode special HTML characters in debug mode
---

diff --git a/lib-php/DebugHtml.php b/lib-php/DebugHtml.php
index 98da8794..702b7899 100644
--- a/lib-php/DebugHtml.php
+++ b/lib-php/DebugHtml.php
@@ -127,7 +127,7 @@ class Debug
 
     public static function printSQL($sSQL)
     {
-        echo '<p><tt><font color="#aaa">'.$sSQL.'</font></tt></p>'."\n";
+        echo '<p><tt><font color="#aaa">'.htmlspecialchars($sSQL).'</font></tt></p>'."\n";
     }
 
     private static function outputVar($mVar, $sPreNL)
@@ -170,11 +170,12 @@ class Debug
         }
 
         if (is_string($mVar)) {
-            echo "'$mVar'";
-            return strlen($mVar) + 2;
+            $sOut = "'$mVar'";
+        } else {
+            $sOut = (string)$mVar;
         }
 
-        echo (string)$mVar;
-        return strlen((string)$mVar);
+        echo htmlspecialchars($sOut);
+        return strlen($sOut);
     }
 }