Merge commit from fork

Escape error title and description in HtmlErrorRenderer

Author: akrabat

CHANGELOG.md

@@ -10,9 +10,18 @@
 
 ### Removed
 
+## 4.15.2 - 2026-05-22
+
+### Fixed
+
+- Escape HTML entities in HtmlErrorRenderer to prevent XSS attacks ([GHSA-53h4-8rc4-f539](https://github.com/slimphp/Slim/security/advisories/GHSA-53h4-8rc4-f539))
+- Fix static analysis suppression in RouteCollector::removeNamedRoute() (#3445)
+
+**Full Changelog**: https://github.com/slimphp/Slim/compare/4.15.1...4.15.2
+
 ## 4.15.1 - 2025-11-21
 
-## Fixed
+### Fixed
 
 - Allow PHPUnit 10, 11 and 12 when testing Slim itself (#3411)
 

Slim/Error/Renderers/HtmlErrorRenderer.php

@@ -15,8 +15,12 @@
 
 use function get_class;
 use function htmlentities;
+use function htmlspecialchars;
 use function sprintf;
 
+use const ENT_QUOTES;
+use const ENT_SUBSTITUTE;
+
 /**
  * Default Slim application HTML Error Renderer
  */
@@ -29,7 +33,12 @@ public function __invoke(Throwable $exception, bool $displayErrorDetails): strin
             $html .= '<h2>Details</h2>';
             $html .= $this->renderExceptionFragment($exception);
         } else {
-            $html = "<p>{$this->getErrorDescription($exception)}</p>";
+            $description = htmlspecialchars(
+                $this->getErrorDescription($exception),
+                ENT_QUOTES | ENT_SUBSTITUTE,
+                'UTF-8'
+            );
+            $html = "<p>{$description}</p>";
         }
 
         return $this->renderHtmlBody($this->getErrorTitle($exception), $html);
@@ -56,6 +65,8 @@ private function renderExceptionFragment(Throwable $exception): string
 
     public function renderHtmlBody(string $title = '', string $html = ''): string
     {
+        $title = htmlspecialchars($title, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+
         return sprintf(
             '<!doctype html>' .
             '<html lang="en">' .

tests/Error/AbstractErrorRendererTest.php

@@ -21,10 +21,14 @@
 use Slim\Tests\TestCase;
 use stdClass;
 
+use function htmlspecialchars;
 use function json_decode;
 use function json_encode;
 use function simplexml_load_string;
 
+use const ENT_QUOTES;
+use const ENT_SUBSTITUTE;
+
 class AbstractErrorRendererTest extends TestCase
 {
     public function testHTMLErrorRendererDisplaysErrorDetails()
@@ -94,6 +98,45 @@ public function testHTMLErrorRendererRenderHttpException()
         $this->assertStringContainsString($exceptionDescription, $output, 'Should contain http exception description');
     }
 
+    public function testHTMLErrorRendererEscapesHttpException()
+    {
+        $exceptionTitle = '<script>alert(1)</script>';
+        $exceptionDescription = "<script>alert('xss')</script>";
+
+        $httpExceptionProphecy = $this->prophesize(HttpException::class);
+
+        $httpExceptionProphecy
+            ->getTitle()
+            ->willReturn($exceptionTitle)
+            ->shouldBeCalledOnce();
+
+        $httpExceptionProphecy
+            ->getDescription()
+            ->willReturn($exceptionDescription)
+            ->shouldBeCalledOnce();
+
+        $renderer = new HtmlErrorRenderer();
+        $output = $renderer->__invoke($httpExceptionProphecy->reveal(), false);
+
+        $this->assertStringNotContainsString($exceptionTitle, $output, 'Title must not be rendered unescaped');
+        $this->assertStringContainsString(
+            htmlspecialchars($exceptionTitle, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'),
+            $output,
+            'Title must be HTML-escaped'
+        );
+
+        $this->assertStringNotContainsString(
+            $exceptionDescription,
+            $output,
+            'Description must not be rendered unescaped'
+        );
+        $this->assertStringContainsString(
+            htmlspecialchars($exceptionDescription, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'),
+            $output,
+            'Description must be HTML-escaped'
+        );
+    }
+
     public function testJSONErrorRendererDisplaysErrorDetails()
     {
         $exception = new Exception('Oops..');