php · symfony/ux-iconsHeads-up
symfony/ux-icons: XSS via unsanitized SVG in ux_icon() and Icon::toHtml()
The ux_icon() Twig function and Icon::toHtml() inlined SVG without sanitization, allowing XSS via script elements and event handlers.
What changed
The ux_icon() Twig function and Icon::toHtml() inlined SVG without sanitization, allowing XSS via script elements and event handlers. A new IconFactory centralizes sanitization, removing script-capable elements, dangerous attributes, and URL schemes.
Who it affects
All Symfony applications using symfony/ux-icons with user-controlled or third-party SVG icons, especially those using the default Iconify on-demand path.
What to do today
Update symfony/ux-icons to the latest patched version and review any custom icon sources for potential XSS vectors.
The trail
Collected→
Audited→
Written→
Published