Escape query bindings

Fixes #198

Author: barryvdh

changelog.md

@@ -1,9 +1,10 @@
 # Changelog for Laravel Debugbar
 
-## 1.7.7 (2014-09-..)
+## 1.7.7 (2014-09-15)
 
 - Make it compatible with Laravel 5.0-dev
 - Allow anonymous function as `enabled` setting (for IP checks etc)
+- Escape query bindings, to prevent executing of scripts/html
 
 ## 1.7.6 (2014-09-12)
 

src/DataCollector/QueryCollector.php

@@ -76,7 +76,7 @@ public function addQuery($query, $bindings, $time, $connection)
 
         $this->queries[] = array(
             'query' => $query,
-            'bindings' => $bindings,
+            'bindings' => $this->escapeBindings($bindings),
             'time' => $time,
             'source' => $source,
         );
@@ -102,6 +102,20 @@ protected function checkBindings($bindings)
         return $bindings;
     }
 
+    /**
+     * Make the bindings safe for outputting.
+     *
+     * @param array $bindings
+     * @return array
+     */
+    protected function escapeBindings($bindings)
+    {
+        foreach ($bindings as &$binding) {
+            $binding = htmlentities($binding, ENT_QUOTES, 'UTF-8', false);
+        }
+        return $bindings;
+    }
+    
     /**
      * Use a backtrace to search for the origin of the query.
      */