php · twig/twigHeads-up
twig/twig: XSS fix in HtmlDumper escapes template and profile names
Twig\Profiler\Dumper\HtmlDumper now escapes template and profile names with htmlspecialchars() before outputting them in HTML.
What changed
Twig\Profiler\Dumper\HtmlDumper now escapes template and profile names with htmlspecialchars() before outputting them in HTML.
Who it affects
Developers using Twig's profiler with attacker-controlled template names (e.g., from ArrayLoader keys or database row IDs).
What to do today
Update Twig to the latest patched version to prevent XSS in profiler output.
The trail
Collected→
Audited→
Written→
Published