Twig: XSS in profiler HtmlDumper via unescaped template and profile names
Description
Twig\Profiler\Dumper\HtmlDumper writes Profile::getTemplate() and Profile::getName() straight into its HTML output without escaping:
protected function formatTemplate(Profile $profile, $prefix): string
{
return \sprintf('%s└ %s', $prefix, self::$colors['template'], $profile->getTemplate());
}The template name comes from the loader (the array key for ArrayLoader, a row id for a database-backed loader, etc.). When that name is attacker-controlled, the profiler dump emits arbitrary HTML, and any browser that renders it executes the injected markup. This is an output-encoding bug in profiler/debug tooling, not a sandbox escape.
Resolution
HtmlDumper now runs both Profile::getTemplate() and Profile::getName() through htmlspecialchars() before inserting them into the HTML output.
Credits
Twig would like to thank El Kharoubi Iosif for reporting the issue and Nicolas Grekas for fixing it.