From f7baab16e79f2369d4838ab5653c3c07ecf26615 Mon Sep 17 00:00:00 2001
From: Start X <84312884+Antiphishing@users.noreply.github.com>
Date: Thu, 30 May 2024 19:29:52 +0300
Subject: [PATCH] Merge pull request from GHSA-qg5r-95m4-mjgj

* Hotfix: Reflected XSS in Debug mode

* Added entry for the security issue GHSA-qg5r-95m4-mjgj to the CHANGELOG

* Update CHANGELOG.md

* Update CHANGELOG.md

---------

Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
---
 framework/CHANGELOG.md         | 1 +
 framework/web/ErrorHandler.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index 80e5398d164..67c788d1e35 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -27,6 +27,7 @@ Yii Framework 2 Change Log
 - New #20137: Added `yii\caching\CallbackDependency` to allow using a callback to determine if a cache dependency is still valid (laxity7)
 - Enh #20134: Raise minimum `PHP` version to `7.3` (@terabytesoftw)
 - Bug #20141: Update `ezyang/htmlpurifier` dependency to version `4.17` (@terabytesoftw)
+- CVE-2024-32877: Fixed Reflected XSS in Debug mode (Antiphishing)
 - CVE-2024-4990: Fix Unsafe Reflection in base Component class (@mtangoo)
 - Bug #19817: Add MySQL Query `addCheck()` and `dropCheck()` (@bobonov)
 - Bug #20165: Adjust pretty name of closures for PHP 8.4 compatibility (@staabm)
diff --git a/framework/web/ErrorHandler.php b/framework/web/ErrorHandler.php
index 41843099eaa..2b885a17082 100644
--- a/framework/web/ErrorHandler.php
+++ b/framework/web/ErrorHandler.php
@@ -181,7 +181,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+        return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**