diff options
| author | Benaka Moorthi <benaka.moorthi@gmail.com> | 2013-09-27 16:10:05 +0400 |
|---|---|---|
| committer | Benaka Moorthi <benaka.moorthi@gmail.com> | 2013-09-27 16:10:05 +0400 |
| commit | a7b7f7940f42bf60e73662009fd9ac29201a134b (patch) | |
| tree | 75edc21e22c862664c105563ac248a7f3e0a8dfb /core | |
| parent | 5657acb8d378471fbfe4606313e760b495f6aecb (diff) | |
Make sure log messages are sanitized when outputted to the screen.
Diffstat (limited to 'core')
| -rw-r--r-- | core/Log.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/core/Log.php b/core/Log.php index 8aa989e450..06755e41de 100644 --- a/core/Log.php +++ b/core/Log.php @@ -64,6 +64,9 @@ class Log * The $message parameter is the object that is being logged. Event handlers should * check if the object is of a certain type and if it is, set $message to the * string that should be logged. + * + * The result of this callback can be HTML so no sanitization is done on the result. + * This means YOU MUST SANITIZE THE MESSAGE YOURSELF if you use this event. */ const FORMAT_SCREEN_MESSAGE_EVENT = 'Log.formatScreenMessage'; @@ -321,7 +324,8 @@ class Log private function logToScreen($level, $tag, $datetime, $message) { if (is_string($message)) { - $message = '<pre>' . $this->formatMessage($level, $tag, $datetime, $message) . '</pre>'; + $message = Common::sanitizeInputValue($this->formatMessage($level, $tag, $datetime, $message)); + $message = '<pre>' . $message . '</pre>'; } else { Piwik_PostEvent(self::FORMAT_SCREEN_MESSAGE_EVENT, array(&$message, $level, $tag, $datetime, $this)); } |