Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed an XSS vulnerability in the Twig Extension
The 'render_relation_element' filter (in contrast to the other two filters) does not use a template for rendering, but simply returns the '__toString()' value of the given object (that's the default behavior). However, the method was marked as HTML-safe. This leads to the fact that any string returned by '__toString()' (which often comes from direct user input) is output without any escaping. This makes the filter vulnerable to a Stored Cross-Site Scripting attack. The vulnerability has been fixed in this commit.
- Loading branch information