From 2cbb3be6022d3adae6f26a65e3b9a4dcc1a231f4 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Tue, 15 May 2007 01:24:20 +0000
Subject: [PATCH] [1.7.0] Armor error messages against XSS injection.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1062 48356398-32a2-884e-a903-53898d9a118a
---
 library/HTMLPurifier/HTMLDefinition.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/library/HTMLPurifier/HTMLDefinition.php b/library/HTMLPurifier/HTMLDefinition.php
index d0b756dd..244dc837 100644
--- a/library/HTMLPurifier/HTMLDefinition.php
+++ b/library/HTMLPurifier/HTMLDefinition.php
@@ -170,6 +170,7 @@ class HTMLPurifier_HTMLDefinition
         $this->processModules();
         $this->setupConfigStuff();
         
+        // remove complicated variables to ease serialization
         unset($this->config);
         unset($this->manager);
         
@@ -240,6 +241,7 @@ class HTMLPurifier_HTMLDefinition
             }
             // emit errors
             foreach ($allowed_elements as $element => $d) {
+                $element = htmlspecialchars($element);
                 trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
             }
         }
@@ -271,6 +273,8 @@ class HTMLPurifier_HTMLDefinition
             // emit errors
             foreach ($allowed_attributes_mutable as $elattr => $d) {
                 list($element, $attribute) = explode('.', $elattr);
+                $element = htmlspecialchars($element);
+                $attribute = htmlspecialchars($attribute);
                 if ($element == '*') {
                     trigger_error("Global attribute '$attribute' is not ".
                         "supported in any elements $support",