Merge pull request #27 from phpbb/ticket/security-196

[ticket/security-196] Escapes the exception messages before displaying them

phpBB/phpbb/event/kernel_exception_subscriber.php

@@ -34,6 +34,9 @@ class kernel_exception_subscriber implements EventSubscriberInterface
 	*/
 	protected $user;
 
+	/** @var \phpbb\request\type_cast_helper */
+	protected $type_caster;
+
 	/**
 	* Construct method
 	*
@@ -44,6 +47,7 @@ class kernel_exception_subscriber implements EventSubscriberInterface
 	{
 		$this->template = $template;
 		$this->user = $user;
+		$this->type_caster = new \phpbb\request\type_cast_helper();
 	}
 
 	/**
@@ -57,6 +61,7 @@ class kernel_exception_subscriber implements EventSubscriberInterface
 		$exception = $event->getException();
 
 		$message = $exception->getMessage();
+		$this->type_caster->set_var($message, $message, 'string', false, false);
 
 		if ($exception instanceof \phpbb\exception\exception_interface)
 		{