Merge branch '6.4' into 7.4

* 6.4:
  [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING']

Author: nicolas-grekas

Profiler/CodeExtension.php

@@ -126,7 +126,7 @@ public function fileExcerpt(string $file, int $line, int $srcContext = 3): ?stri
         $contents = file_get_contents($file);
 
         if (!str_contains($contents, '<?php') && !str_contains($contents, '<?=')) {
-            $lines = explode("\n", $contents);
+            $lines = explode("\n", htmlspecialchars($contents, \ENT_QUOTES | \ENT_SUBSTITUTE, $this->charset));
 
             if (0 > $srcContext) {
                 $srcContext = \count($lines);

Tests/Fixtures/xss.html

@@ -0,0 +1,2 @@
+<script>alert(1)</script>
+& "quoted" <tags>

Tests/Profiler/CodeExtensionTest.php

@@ -223,6 +223,17 @@ public static function fileExcerptIntegrationProvider()
         ];
     }
 
+    public function testFileExcerptEscapesNonPhpContents()
+    {
+        $file = \dirname(__DIR__).\DIRECTORY_SEPARATOR.'Fixtures'.\DIRECTORY_SEPARATOR.'xss.html';
+
+        $html = $this->getExtension()->fileExcerpt($file, 1);
+
+        $this->assertStringNotContainsString('<script>', $html);
+        $this->assertStringContainsString('&lt;script&gt;alert(1)&lt;/script&gt;', $html);
+        $this->assertStringContainsString('&amp; &quot;quoted&quot; &lt;tags&gt;', $html);
+    }
+
     public function testFormatFileFromTextIntegration()
     {
         $template = <<<'TWIG'