SECURITY: Escape internal error message

[lhc/web/wiklou.git] / includes / exception / MWException.php

diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php
index c633431..6d95919 100644 (file)
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -103,13 +103,15 @@ class MWException extends Exception {
                        $logId = WebRequest::getRequestId();
                        $type = static::class;
                        return Html::errorBox(
-                       '[' . $logId . '] ' .
-                       gmdate( 'Y-m-d H:i:s' ) . ": " .
-                       $this->msg( "internalerror-fatal-exception",
-                               "Fatal exception of type $1",
-                               $type,
-                               $logId,
-                               MWExceptionHandler::getURL( $this )
+                       htmlspecialchars(
+                               '[' . $logId . '] ' .
+                               gmdate( 'Y-m-d H:i:s' ) . ": " .
+                               $this->msg( "internalerror-fatal-exception",
+                                       "Fatal exception of type $1",
+                                       $type,
+                                       $logId,
+                                       MWExceptionHandler::getURL( $this )
+                               )
                        ) ) .
                        "<!-- Set \$wgShowExceptionDetails = true; " .
                        "at the bottom of LocalSettings.php to show detailed " .