From 289eb432fbabf4dd3d4a327b06e4d073679b08cc Mon Sep 17 00:00:00 2001
From: jwj <jwjbjg@gmail.com>
Date: Tue, 9 Apr 2024 09:51:26 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=20$key=20=E6=9C=AA=E7=BC=96?=
 =?UTF-8?q?=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

修正异常页面的 XSS 漏洞
```http
GET http://127.0.0.1:8080/?%3Cscript%3Eeval(atob(`YWxlcnQoJzEyMycp`))%3C/script%3E=1
```

```php
<?php

namespace app\controller;

class Index
{
    public function index(array $params)
    {
    }
}
```
---
 src/tpl/think_exception.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tpl/think_exception.tpl b/src/tpl/think_exception.tpl
index 6ea9677cdd..0974bac80c 100644
--- a/src/tpl/think_exception.tpl
+++ b/src/tpl/think_exception.tpl
@@ -68,7 +68,7 @@ if (!function_exists('parse_args')) {
                     break;
             }
 
-            $result[] = is_int($key) ? $value : "'{$key}' => {$value}";
+            $result[] = is_int($key) ? $value : sprintf('\'%s\' => %s', htmlentities($key), $value);
         }
 
         return implode(', ', $result);