Headline

GHSA-5j3w-5pcr-f8hg: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact

Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.

Patches

The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig’s EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally.

Workarounds

Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values. Instead, use {{ attributes.render('name') }} for safe output of individual attributes.

References

GitHub repository: symfony/ux

6 hours ago

ghsa

Open in Source

#xss #vulnerability #git #perl

Impact

Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.

Patches

The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig’s EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally.

Workarounds

Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values.
Instead, use {{ attributes.render(‘name’) }} for safe output of individual attributes.

References

GitHub repository: symfony/ux

References