From 23bdb2eedebee5a625ba35baf3098566bb966127 Mon Sep 17 00:00:00 2001
From: Tristan Darricau <github@nicofuma.fr>
Date: Tue, 19 Apr 2016 12:03:32 +0200
Subject: [PATCH] [ticket/security-196] Escapes the exception messages before
 displaying them

SECURITY-196
---
 phpBB/phpbb/event/kernel_exception_subscriber.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/phpBB/phpbb/event/kernel_exception_subscriber.php b/phpBB/phpbb/event/kernel_exception_subscriber.php
index eb7831ad34..34c8422b0a 100644
--- a/phpBB/phpbb/event/kernel_exception_subscriber.php
+++ b/phpBB/phpbb/event/kernel_exception_subscriber.php
@@ -34,6 +34,9 @@ class kernel_exception_subscriber implements EventSubscriberInterface
 	*/
 	protected $user;
 
+	/** @var \phpbb\request\type_cast_helper */
+	protected $type_caster;
+
 	/**
 	* Construct method
 	*
@@ -44,6 +47,7 @@ class kernel_exception_subscriber implements EventSubscriberInterface
 	{
 		$this->template = $template;
 		$this->user = $user;
+		$this->type_caster = new \phpbb\request\type_cast_helper();
 	}
 
 	/**
@@ -57,6 +61,7 @@ class kernel_exception_subscriber implements EventSubscriberInterface
 		$exception = $event->getException();
 
 		$message = $exception->getMessage();
+		$this->type_caster->set_var($message, $message, 'string', false, false);
 
 		if ($exception instanceof \phpbb\exception\exception_interface)
 		{