Merge pull request #107 from AuditeMarlow/prevent-html-injection

freekmurze · web-flow · commit 2a0be1fb6c4b · 2024-12-23T11:50:52.000+01:00
Prevent HTML injection
diff --git a/src/Tinker.php b/src/Tinker.php
@@ -35,7 +35,7 @@ public function __construct(OutputModifier $outputModifier)
     public function execute(string $phpCode): string
     {
         $phpCode = $this->removeComments($phpCode);
-        
+
         $this->shell->addInput($phpCode);
 
         $closure = new ExecutionLoopClosure($this->shell);
@@ -116,6 +116,6 @@ protected function cleanOutput(string $output): string
 
         $output = preg_replace('/(?s)(<whisper.*?<\/whisper>)|INFO  Ctrl\+D\./ms', '$2', $output);
 
-        return trim($output);
+        return htmlentities(trim($output));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public function __construct(OutputModifier $outputModifier)`
`35`	`35`	`public function execute(string $phpCode): string`
`36`	`36`	`{`
`37`	`37`	`$phpCode = $this->removeComments($phpCode);`
`38`		`-`
	`38`	`+`
`39`	`39`	`$this->shell->addInput($phpCode);`
`40`	`40`
`41`	`41`	`$closure = new ExecutionLoopClosure($this->shell);`
`@@ -116,6 +116,6 @@ protected function cleanOutput(string $output): string`
`116`	`116`
`117`	`117`	`$output = preg_replace('/(?s)(<whisper.*?<\/whisper>)\|INFO Ctrl\+D\./ms', '$2', $output);`
`118`	`118`
`119`		`- return trim($output);`
	`119`	`+ return htmlentities(trim($output));`
`120`	`120`	`}`
`121`	`121`	`}`