fixed escaping in CodeHelper::formatArgs()

src/Symfony/Bundle/FrameworkBundle/Templating/Helper/CodeHelper.php

@@ -104,7 +104,7 @@ class CodeHelper extends Helper
             } elseif ('array' === $item[0]) {
                 $formattedValue = sprintf("<em>array</em>(%s)", $this->formatArgs($item[1]));
             } elseif ('string'  === $item[0]) {
-                $formattedValue = sprintf("'%s'", $item[1]);
+                $formattedValue = sprintf("'%s'", htmlspecialchars($item[1], ENT_QUOTES, $this->getCharset()));
             } elseif ('null' === $item[0]) {
                 $formattedValue = '<em>null</em>';
             } elseif ('boolean' === $item[0]) {
@@ -112,7 +112,7 @@ class CodeHelper extends Helper
             } elseif ('resource' === $item[0]) {
                 $formattedValue = '<em>resource</em>';
             } else {
-                $formattedValue = str_replace("\n", '', var_export((string) $item[1], true));
+                $formattedValue = str_replace("\n", '', var_export(htmlspecialchars((string) $item[1], ENT_QUOTES, $this->getCharset()), true));
             }
 
             $result[] = is_int($key) ? $formattedValue : sprintf("'%s' => %s", $key, $formattedValue);

src/Symfony/Bundle/TwigBundle/Extension/TemplatingExtension.php

@@ -51,7 +51,7 @@ class TemplatingExtension extends \Twig_Extension
             'dump' => new \Twig_Filter_Method($this, 'dump'),
             'abbr_class' => new \Twig_Filter_Method($this, 'abbrClass', array('is_safe' => array('html'))),
             'abbr_method' => new \Twig_Filter_Method($this, 'abbrMethod', array('is_safe' => array('html'))),
-            'format_args' => new \Twig_Filter_Method($this, 'formatArgs'),
+            'format_args' => new \Twig_Filter_Method($this, 'formatArgs', array('is_safe' => array('html'))),
             'format_args_as_text' => new \Twig_Filter_Method($this, 'formatArgsAsText', array('is_safe' => array('html'))),
             'file_excerpt' => new \Twig_Filter_Method($this, 'fileExcerpt', array('is_safe' => array('html'))),
             'format_file' => new \Twig_Filter_Method($this, 'formatFile', array('is_safe' => array('html'))),