Escape error messages

Some variables must be escaped because they contain non-alphanumeric characters which can break the message formatting, layout, or make sections invisible, which makes error messages confusing.
tsugiproject · Sep 27, 2024 · 61ea342 · 61ea342
1 parent b682512
commit 61ea342
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/UI/Output.php b/src/UI/Output.php
@@ -1239,15 +1239,15 @@ public static function safe_var_dump($x) {
         self::safe_var_cleanup($x, 0);
         var_dump($x);
         $result = ob_get_clean();
-        return $result;
+        return htmlent_utf8($result);
     }
 
     public static function safe_print_r($x) {
         ob_start();
         self::safe_var_cleanup($x, 0);
         print_r($x);
         $result = ob_get_clean();
-        return $result;
+        return htmlent_utf8($result);
     }
 
     public static function htmlError($message,$detail,$next=false) {