GHSA-4j38-f5cw-54h7
Twig: The `spaceless` filter implicitly marks its output as safe
상세
### Description
The `spaceless` filter is registered with `is_safe => ['html']`, which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying `spaceless` to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote `|raw` and autoescape is enabled.
Example:
```twig {% set payload = '<script>alert()</script>' %} {{ payload }} {# escaped #} {{ payload|spaceless }} {# not escaped #} ```
The filter is deprecated but still functional. With the deprecation, some downstream projects (e.g. Drupal modules) have duplicated the filter and inherited the same `is_safe` flag.
### Resolution
The `spaceless` filter no longer marks its output as safe. Documentation has been updated to warn that `spaceless` should not be applied to unsanitised user input.
### Credits
Twig would like to thank Pierre Rudloff for reporting the issue.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.