From e292aecad599f24458c6fff483df8b2bf8750ae9 Mon Sep 17 00:00:00 2001
From: Evgeny Anisiforov <evgeny@anisiforov.de>
Date: Fri, 12 Feb 2016 15:09:34 +0100
Subject: [PATCH] fixed XSS vulnerability in sql parameter value rendering

---
 .../Resources/widgets/sqlqueries/widget.js    | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/DebugBar/Resources/widgets/sqlqueries/widget.js b/src/DebugBar/Resources/widgets/sqlqueries/widget.js
index c0d75a57..c0c6aae8 100644
--- a/src/DebugBar/Resources/widgets/sqlqueries/widget.js
+++ b/src/DebugBar/Resources/widgets/sqlqueries/widget.js
@@ -1,7 +1,25 @@
 (function($) {
 
     var csscls = PhpDebugBar.utils.makecsscls('phpdebugbar-widgets-');
-
+    
+    var entityMap = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+        '/': '&#x2F;',
+        '`': '&#x60;',
+        '=': '&#x3D;'
+    };
+
+    function escapeHtml (string) {
+      return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
+        return entityMap[s];
+      });
+    }
+
+    
     /**
      * Widget for the displaying sql queries
      *
@@ -71,8 +89,8 @@
                     var table = $('<table><tr><th colspan="2">Params</th></tr></table>').addClass(csscls('params')).appendTo(li);
                     for (var key in stmt.params) {
                         if (typeof stmt.params[key] !== 'function') {
-                            table.append('<tr><td class="' + csscls('name') + '">' + key + '</td><td class="' + csscls('value') +
-                            '">' + stmt.params[key] + '</td></tr>');
+                            table.append('<tr><td class="' + csscls('name') + '">' + escapeHtml(key) + '</td><td class="' + csscls('value') +
+                            '">' + escapeHtml(stmt.params[key]) + '</td></tr>');
                         }
                     }
                     li.css('cursor', 'pointer').click(function() {