IA Squad
SearchPT
php · symfony/ux-live-componentHeads-up

symfony/ux-live-component: Strict RFC 3339 parsing for DateTimeInterface LiveProp without explicit format

When a `#[LiveProp]` is typed as `DateTimeInterface` and no explicit `format` is configured, `hydrateObjectValue()` now parses format-less date props strictly with `createFromFormat(DateTimeInterface::RFC3339, .

20 Jun 2026Read 1 minSeverity: schedule it

What changed

When a `#[LiveProp]` is typed as `DateTimeInterface` and no explicit `format` is configured, `hydrateObjectValue()` now parses format-less date props strictly with `createFromFormat(DateTimeInterface::RFC3339, ...)`, rejecting inputs that aren't valid RFC 3339.

Who it affects

Applications using Symfony UX Live Component with `#[LiveProp]` typed as `DateTimeInterface` without an explicit `format`.

What to do today

Update to the patched version (commit d24d78fda6df2d5964312255943ebf3a217b79a2 for 2.x, forward-ported to 3.x) to prevent client-side manipulation of date props.

The trail
Collected Audited Written Published
Source
GitHub Advisory · symfony/ux-live-component

More on symfony/ux-live-component

php · jleehr/canto-saas-api

jleehr/canto-saas-api: Unencoded path variables in Request::buildRequestUrl()

php · jleehr/canto-saas-api

jleehr/canto-saas-api: OAuth2 token request now uses form-encoded POST body, exception messages sanitized