Potential XSS vulnerabilities in CodeExtension filters

Low

nicolas-grekas published GHSA-q847-2q57-wmr3

Nov 10, 2023

Package

symfony/symfony (Composer)

Affected versions

>=2.0.0,<4.4.51

>=5.0.0,<5.4.31

>=6.0.0,<6.3.8

Patched versions

4.4.51

5.4.31

4.4.51

symfony/twig-bridge (Composer)

>=2.0.0,<4.4.51

>=5.0.0,<5.4.31

>=6.0.0,<6.3.8

4.4.51

5.4.31

6.3.8

Description

Description

Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe.

Resolution

Symfony now escapes the output of the affected filters.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.