pfSense

There are multiple issues with the formatting of PHP errors in the GUI, including:

• Error/stack trace is printed twice
• Error message is plain text (not HTML) but is getting formatted like HTML
• Function arguments are printed in the stack trace which may contain user input

The first item is due to display_errors being on in php.ini but there is no need to display errors directly from PHP, they are printed in source:src/etc/inc/config.lib.inc#L1168 by pfSense_clear_globals() -- Changing display_errors to off is sufficient to address this.

The second point can be handled by wrapping the error output in tags or some variation thereof, plus encoding the error message itself. The relevant code where the errors are printed is in in pfSense_clear_globals() in source:src/etc/inc/config.lib.inc#L1168 (or close to there).

The second and third points combined have a potential to lead to an XSS if the user can influence the arguments displayed in the stack trace. So not only should we take more care when printing the errors (encode via htmlentities() or htmlspecialchars() in pfSense_clear_globals() in source:src/etc/inc/config.lib.inc#L1168) but on release versions we should suppress the function arguments in stack traces entirely (zend.exception_ignore_args=1 in php.ini)

I have a tested and working patch ready to commit.