Merge branch '2.7' into 2.8

* 2.7: [DI] Remove unused props from the PhpDumper [ProxyManager] Cleanup fixtures [Debug] HTML-escape array key Add some phpdocs for IDE autocompletion and better SCA
bug #23684 [Debug] Missing escape in debug output (c960657)
2026-03-24 17:22:13 +01:00 · 2017-07-28 17:21:22 +02:00 · 2017-07-26 22:00:18 +02:00 · 2017-07-26 17:00:11 +02:00 · 2017-06-01 13:52:29 -07:00 · 2017-06-01 13:44:56 -07:00
3 changed files with 7 additions and 7 deletions
--- a/ErrorHandler.php
+++ b/ErrorHandler.php
@@ -433,7 +433,7 @@ class ErrorHandler
                $throw = new \ErrorException($this->levels[$type].': '.$message, 0, $type, $file, $line);
            }

-            if (PHP_VERSION_ID <= 50407 && (PHP_VERSION_ID >= 50400 || PHP_VERSION_ID <= 50317)) {
+            if (\PHP_VERSION_ID <= 50407 && (\PHP_VERSION_ID >= 50400 || \PHP_VERSION_ID <= 50317)) {
                // Exceptions thrown from error handlers are sometimes not caught by the exception
                // handler and shutdown handlers are bypassed before 5.4.8/5.3.18.
                // We temporarily re-enable display_errors to prevent any blank page related to this bug.
--- a/ExceptionHandler.php
+++ b/ExceptionHandler.php
@@ -442,7 +442,7 @@ EOF;
                $formattedValue = str_replace("\n", '', var_export($this->escapeHtml((string) $item[1]), true));
            }

-            $result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $key, $formattedValue);
+            $result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $this->escapeHtml($key), $formattedValue);
        }

        return implode(', ', $result);
@@ -457,7 +457,7 @@ EOF;
    {
        @trigger_error('The '.__METHOD__.' method is deprecated since version 2.7 and will be removed in 3.0.', E_USER_DEPRECATED);

-        return htmlspecialchars($str, ENT_QUOTES | (PHP_VERSION_ID >= 50400 ? ENT_SUBSTITUTE : 0), 'UTF-8');
+        return htmlspecialchars($str, ENT_QUOTES | (\PHP_VERSION_ID >= 50400 ? ENT_SUBSTITUTE : 0), 'UTF-8');
    }

    /**
@@ -465,7 +465,7 @@ EOF;
     */
    private function escapeHtml($str)
    {
-        return htmlspecialchars($str, ENT_QUOTES | (PHP_VERSION_ID >= 50400 ? ENT_SUBSTITUTE : 0), $this->charset);
+        return htmlspecialchars($str, ENT_QUOTES | (\PHP_VERSION_ID >= 50400 ? ENT_SUBSTITUTE : 0), $this->charset);
    }

    /**
--- a/Tests/DebugClassLoaderTest.php
+++ b/Tests/DebugClassLoaderTest.php
@@ -61,7 +61,7 @@ class DebugClassLoaderTest extends TestCase

    public function testUnsilencing()
    {
-        if (PHP_VERSION_ID >= 70000) {
+        if (\PHP_VERSION_ID >= 70000) {
            $this->markTestSkipped('PHP7 throws exceptions, unsilencing is not required anymore.');
        }
        if (defined('HHVM_VERSION')) {
@@ -111,7 +111,7 @@ class DebugClassLoaderTest extends TestCase
            restore_error_handler();
            restore_exception_handler();
            $this->assertStringStartsWith(__FILE__, $exception->getFile());
-            if (PHP_VERSION_ID < 70000) {
+            if (\PHP_VERSION_ID < 70000) {
                $this->assertRegExp('/^Runtime Notice: Declaration/', $exception->getMessage());
                $this->assertEquals(E_STRICT, $exception->getSeverity());
            } else {
@@ -249,7 +249,7 @@ class DebugClassLoaderTest extends TestCase

    public function testReservedForPhp7()
    {
-        if (PHP_VERSION_ID >= 70000) {
+        if (\PHP_VERSION_ID >= 70000) {
            $this->markTestSkipped('PHP7 already prevents using reserved names.');
        }
Author	SHA1	Message	Date
Nicolas Grekas	236ca98a42	Merge branch '2.7' into 2.8 * 2.7: [DI] Remove unused props from the PhpDumper [ProxyManager] Cleanup fixtures [Debug] HTML-escape array key Add some phpdocs for IDE autocompletion and better SCA	2017-07-28 17:21:22 +02:00
Nicolas Grekas	0946243775	bug #23684 [Debug] Missing escape in debug output (c960657) This PR was merged into the 2.7 branch. Discussion ---------- [Debug] Missing escape in debug output \| Q \| A \| ------------- \| --- \| Branch? \| 2.7 \| Bug fix? \| yes \| New feature? \| no \| BC breaks? \| no \| Deprecations? \| no \| Tests pass? \| yes \| Fixed tickets \| \| License \| MIT \| Doc PR \| When pretty-printing an exception, the debug handler does not properly escape array keys. The problem only occurs when debug output is enabled, so this is not considered a [security issue](http://symfony.com/doc/current/contributing/code/security.html) (according to @fabpot), because the debug tools [should not be used in production](https://symfony.com/doc/current/components/debug.html#usage). A test for this is included in my patch for #18722. Commits ------- 636777d [Debug] HTML-escape array key	2017-07-26 22:00:18 +02:00
Christian Schmidt	e1ce6a4ded	[Debug] HTML-escape array key	2017-07-26 17:00:11 +02:00
Fabien Potencier	8470d77011	Merge branch '2.7' into 2.8 * 2.7: Using FQ name for PHP_VERSION_ID [Form] Fix \IntlDateFormatter timezone parameter usage to bypass PHP bug #66323 Harden the debugging of Twig filters and functions bumped Symfony version to 2.7.29 updated VERSION for 2.7.28 update CONTRIBUTORS for 2.7.28 updated CHANGELOG for 2.7.28	2017-06-01 13:52:29 -07:00
Fabien Potencier	2662c21dea	Using FQ name for PHP_VERSION_ID	2017-06-01 13:44:56 -07:00