Merge pull request laravel#1305 from nmalcolm/develop

taylorotwell · taylorotwell · commit 4f8a6724b083 · 2012-10-02T17:22:11.000-07:00
Fixes XSS vulnerability in Profiler
diff --git a/laravel/profiling/profiler.php b/laravel/profiling/profiler.php
@@ -148,6 +148,7 @@ public static function query($sql, $bindings, $time)
 			$binding = Database::connection()->pdo->quote($binding);
 
 			$sql = preg_replace('/\?/', $binding, $sql, 1);
+			$sql = htmlspecialchars($sql);
 		}
 
 		static::$data['queries'][] = array($sql, $time);

Original file line number	Diff line number	Diff line change
`@@ -148,6 +148,7 @@ public static function query($sql, $bindings, $time)`
`148`	`148`	`$binding = Database::connection()->pdo->quote($binding);`
`149`	`149`
`150`	`150`	`$sql = preg_replace('/\?/', $binding, $sql, 1);`
	`151`	`+ $sql = htmlspecialchars($sql);`
`151`	`152`	`}`
`152`	`153`
`153`	`154`	`static::$data['queries'][] = array($sql, $time);`