From: Rasmus Lerdorf <rasmus@php.net>
Date: Sun, 8 May 2005 17:09:24 +0000 (+0000)
Subject: Let's not XSS ourself at least
X-Git-Tag: php-4.4.0RC1~74
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0b7fbabd80e19dc532e234b4657c86c024e6ca82;p=php

Let's not XSS ourself at least
---

diff --git a/ext/standard/info.c b/ext/standard/info.c
index d1664aff2b..23a5c96544 100644
--- a/ext/standard/info.c
+++ b/ext/standard/info.c
@@ -593,7 +593,9 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
 		php_info_print_table_start();
 		php_info_print_table_header(2, "Variable", "Value");
 		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
-			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+			char *elem_esc = php_info_html_esc(Z_STRVAL_PP(data) TSRMLS_CC);
+			php_info_print_table_row(2, "PHP_SELF", elem_esc);
+			efree(elem_esc);
 		}
 		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));