Closed jecknig closed 8 years ago
The following code will fail:
$sandbox = new PHPSandbox\PHPSandbox; $sandbox->defineVar('test', "\\'"); $sandbox->execute("echo $test;")
The problem is caused by line 6487 in src/PHPSandbox.php:
$output[] = '$' . $name . " = '" . addcslashes($value, "'") . "'";
The string \' will be escaped to \\', so the \ will be considered as escaped by PHP but not the '.
\'
\\'
\
'
Replacing the line by
$output[] = '$' . $name . " = '" . addcslashes($value, "'\\") . "'";
would solve the problem
The following code will fail:
The problem is caused by line 6487 in src/PHPSandbox.php:
The string
\'will be escaped to\\', so the\will be considered as escaped by PHP but not the'.Replacing the line by
would solve the problem