Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
Merge branch 'security/escaper-usage'
Browse files Browse the repository at this point in the history
Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.
  • Loading branch information
Showing 1 changed file with 38 additions and 4 deletions.
42 changes: 38 additions & 4 deletions src/Formatter/Xml.php
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
use DOMDocument;
use DOMElement;
use Traversable;
use Zend\Escaper\Escaper;
use Zend\Stdlib\ArrayUtils;

/**
Expand All @@ -38,6 +39,11 @@ class Xml implements FormatterInterface
*/
protected $encoding;

/**
* @var Escaper instance
*/
protected $escaper;

/**
* Format specifier for DateTime objects in event data (default: ISO 8601)
*
Expand Down Expand Up @@ -121,6 +127,33 @@ public function setEncoding($value)
return $this;
}

/**
* Set Escaper instance
*
* @param Escaper $escaper
* @return Xml
*/
public function setEscaper(Escaper $escaper)
{
$this->escaper = $escaper;
return $this;
}

/**
* Get Escaper instance
*
* Lazy-loads an instance with the current encoding if none registered.
*
* @return Escaper
*/
public function getEscaper()
{
if (null === $this->escaper) {
$this->setEscaper(new Escaper($this->getEncoding()));
}
return $this->escaper;
}

/**
* Formats data into a single line to be written by the writer.
*
Expand All @@ -142,17 +175,18 @@ public function format($event)
}
}

$enc = $this->getEncoding();
$dom = new DOMDocument('1.0', $enc);
$elt = $dom->appendChild(new DOMElement($this->rootElement));
$enc = $this->getEncoding();
$escaper = $this->getEscaper();
$dom = new DOMDocument('1.0', $enc);
$elt = $dom->appendChild(new DOMElement($this->rootElement));

foreach ($dataToInsert as $key => $value) {
if (empty($value)
|| is_scalar($value)
|| (is_object($value) && method_exists($value,'__toString'))
) {
if ($key == "message") {
$value = htmlspecialchars($value, ENT_COMPAT, $enc);
$value = $escaper->escapeHtml($value);
} elseif ($key == "extra" && empty($value)) {
continue;
}
Expand Down

0 comments on commit 850249d

Please sign in to comment.