Fix: apply standard html encoding around string arguments in default error/exception renderer

Notes:
- message also formats newlines with nl2br
- no dependency on CHtml::encode as this could cause exceptions as well

Author: marcovtwout

framework/base/CApplication.php

@@ -901,7 +901,7 @@ public function displayError($code,$message,$file,$line)
 		if(YII_DEBUG)
 		{
 			echo "<h1>PHP Error [$code]</h1>\n";
-			echo "<p>$message ($file:$line)</p>\n";
+			echo "<p>".nl2br($this->htmlEncodeInternal($message))." (".$this->htmlEncodeInternal($file).":$line)</p>\n";
 			echo '<pre>';
 
 			$trace=debug_backtrace();
@@ -927,7 +927,7 @@ public function displayError($code,$message,$file,$line)
 		else
 		{
 			echo "<h1>PHP Error [$code]</h1>\n";
-			echo "<p>$message</p>\n";
+			echo "<p>".nl2br($this->htmlEncodeInternal($message))."</p>\n";
 		}
 	}
 
@@ -942,16 +942,26 @@ public function displayException($exception)
 		if(YII_DEBUG)
 		{
 			echo '<h1>'.get_class($exception)."</h1>\n";
-			echo '<p>'.$exception->getMessage().' ('.$exception->getFile().':'.$exception->getLine().')</p>';
-			echo '<pre>'.$exception->getTraceAsString().'</pre>';
+			echo '<p>'.nl2br($this->htmlEncodeInternal($exception->getMessage())).' ('.$this->htmlEncodeInternal($exception->getFile()).':'.$exception->getLine().')</p>';
+			echo '<pre>'.$this->htmlEncodeInternal($exception->getTraceAsString()).'</pre>';
 		}
 		else
 		{
 			echo '<h1>'.get_class($exception)."</h1>\n";
-			echo '<p>'.$exception->getMessage().'</p>';
+			echo '<p>'.nl2br($this->htmlEncodeInternal($exception->getMessage())).'</p>';
 		}
 	}
 
+	/**
+	 * Encode html without a dependency on CHtml::encode(). This method is internally used by displayError/displayException.
+	 * @param string $string
+	 * @return string
+	 */
+	private function htmlEncodeInternal($string)
+	{
+		return htmlspecialchars($string, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+	}
+
 	/**
 	 * Initializes the error handlers.
 	 */