From 61ea342c1dec74522dcc69b798f96095d68cfeb9 Mon Sep 17 00:00:00 2001
From: Thomas Brierley <tomxor@gmail.com>
Date: Fri, 27 Sep 2024 01:14:59 +0100
Subject: [PATCH] Escape error messages

Some variables must be escaped because they contain non-alphanumeric
characters which can break the message formatting, layout, or make
sections invisible, which makes error messages confusing.
---
 src/UI/Output.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/UI/Output.php b/src/UI/Output.php
index 0a19aeb..a67c183 100644
--- a/src/UI/Output.php
+++ b/src/UI/Output.php
@@ -1239,7 +1239,7 @@ public static function safe_var_dump($x) {
         self::safe_var_cleanup($x, 0);
         var_dump($x);
         $result = ob_get_clean();
-        return $result;
+        return htmlent_utf8($result);
     }
 
     public static function safe_print_r($x) {
@@ -1247,7 +1247,7 @@ public static function safe_print_r($x) {
         self::safe_var_cleanup($x, 0);
         print_r($x);
         $result = ob_get_clean();
-        return $result;
+        return htmlent_utf8($result);
     }
 
     public static function htmlError($message,$detail,$next=false) {