Make debug() message work better (usable)

Plus eleventy billion! Marked #639372: Debug() should output with <code> tags as a duplicate.

However, we need to be concerned about security here. While on IRC Jimmy confirmed that this only affects the dsm() triggered by either debug() or PHP errors, not "normal" drupal_set_message()s (so for example, you can't stick JS in a node title), it still seems like it'd be possible to piggy-back malicious code and get the admin to execute it. For example, SQL errors will read out the part of the query that failed, so if you manage to stick '<script>alert('xss');</script>' or similar into a field someplace near a failure, it seems like you could inject malicious JS code... or worse. :\

Error messages are actually HTML in PHP, while exception messages are plain-text (totally brain-dead...).

Try:

trigger_error("A & B");
throw new Exception("A & B");

You will get:

Notice: A & B in /shared/Drupal/Core/d7/titi.php on line 2

Fatal error: Uncaught exception 'Exception' with message 'A &amp; B' in /shared/Drupal/Core/d7/titi.php:3
Stack trace:
#0 {main}
thrown in /shared/Drupal/Core/d7/titi.php on line 3

So we should be consistent with this, and stop encoding error messages. That should help this patch move forward.

Tested on the latest Drupal HEAD just now. Still applies, and looks so beautiful on the screen and in logs.

I really hope this can still go in... it does have a plus eleventy-billion from webchick ;-) Note that this is also a concern expressed by several developers in #822714: Add <pre> tags to debug() For me, it felt very, very wrong to tell readers of the Drupal book i'm writing on, or for anyone else to do this, "Drupal 7 includes a debug() function, which is a great convenience when developing (or debugging). Unfortunately, its output runs together when displayed such that it is hard to see the structure of a complex array. Viewing the source code shows the structure but with the distraction of escaped HTML character entities. We can see nested arrays better by using the Devel module's dpr(), dvr(), or dkr() functions; a var_export() or print_r() function call wrapped in <pre> tags in a drupal_set_message() as above; or, of course, a debugger (see chapter {develenv})."

Good stuff, boombatower. Thanks for the patch. Tagging as a developer experience issue.

Oh, yes, pretty please...

Works for me, too.

Great work! I consider this a bug fix, since the current function is well-intentioned but doesn't actually work, really.

I tested this with the following:

<?php
debug('your mom');
debug(array('your' => 'mom', 'my' => 'dad'));
debug("<script>alert('xss');</script>");
?>

I verified that both before and after this patch this correctly escapes stuff both on-screen and in watchdog, which was a problem in one of the earlier patches that I reviewed, iirc.

The only thing I'd suggest is wrapping the scalar value in <pre> ... </pre> as well. It looks a bit inconsistent now:

Subscribing, coming from #822714: Add <pre> tags to debug()

The escaping single quotation marks in the output is a little weird. Personally, i'd change that before trying to make strings etc. output in the same font as arrays and objects. Note that pre tags will always mean at least three-line messages if there is a label.

Same as #13, but wrapping in <pre> for all variable types, as @webchick suggested.

of course, removing the debug() calls would be a good idea. /facepalm

Great. Committed to HEAD!