zend-developer-tools
zend-developer-tools copied to clipboard
zendframework
ApplicationConfig unescaped
Hi. Broken page because the code is displayed unescaped. It seems there is a problem in ConfigCollector::unserializeArray().
@mamont77 are you running the latest version? Escaping should be applied there...
Could you please paste the HTML generated by the toolbar? I didn't find the location where the output would not be correctly escaped..
Sorry, I could not attach a file, unsupported format. Temporarily added to my repository. https://github.com/mamont77/fcontrol/blob/master/temp.html
@mamont77 if I get this correctly, it's a problem in Zend\Debug itself.
The problems are at https://github.com/mamont77/fcontrol/blob/master/temp.html#L367, right?
If so, then this issue should be opened against Zend\Debug with a small test array (nothing fancy, just those weird keys).
@Ocramius I'm not convinced by your analysis. Zend\Debug\Debug::dump() does the following:
- If xdebug is detected, it simply wraps the output in
<pre>tags. - If not, it uses the composed
Zend\Escaper\Escaperinstance, and callsescapeHtml()to escape the output, before wrapping in<pre>tags.
Based on the configuration dumped, I'd argue it's a problem with Escaper, to be honest -- there are clearly < and > characters not being escaped.
@weierophinney no analysis: I just stopped after finding out that it's not ZDT ;)
Odd -- I took the relevant parts of the configuration:
- the console routes
- the super messenger configuration
- the factories that were defined as inline anonymous functions
and wrote a test to see if the values were being escaped. They were. In fact, all quotes, all angle brackets, and a number of other characters were being escaped for HTML.
This makes me wonder if it's either (a) browser-specific, or (b) an issue with how the JS library is handling the data.
This repository has been closed and moved to laminas/laminas-developer-tools; a new issue has been opened at https://github.com/laminas/laminas-developer-tools/issues/20.