symfony/ux-autocomplete: Stimulus controller now escapes text field by default to prevent XSS
The Stimulus controller in symfony/ux-autocomplete now HTML-escapes the `text` field in AJAX response items by default, preventing stored XSS.
What changed
The Stimulus controller in symfony/ux-autocomplete now HTML-escapes the `text` field in AJAX response items by default, preventing stored XSS. Previously, the value was interpolated directly into HTML template literals without escaping. Endpoints that need to return HTML can opt in with `options_as_html: true`.
Who it affects
Users of symfony/ux-autocomplete who render autocomplete dropdowns with user-supplied content, especially those using AJAX remote data.
What to do today
Update to the patched version of symfony/ux-autocomplete (commit 842ae54bc74de389299f975f01aafae272cb0019 for branch 2.x, forward-ported to 3.x). If you rely on returning HTML in autocomplete items, set `options_as_html: true` on your endpoint.