Symfony UX Twig Component Unsanitized HTML Attribute Injection Vulnerability

A vulnerability in the Symfony UX Twig Component library prior to version 2.25.1 allows for unsanitized HTML attribute injection. This issue arises when rendering `{{ attributes }}` or using methods that return a `ComponentAttributes` instance, such as `only()`, `defaults()`, or `without()`. The vulnerability can lead to Cross-Site Scripting (XSS) by injecting unsafe values, like user input, directly into HTML attributes without proper escaping. The problem is present in versions of `symfony/ux-twig-component` prior to 2.25.1, as well as in `symfony/ux-live-component`, which must also be updated to 2.25.1 to address the issue.

Impact

The vulnerability allows for HTML attribute injection, which can be exploited to inject unsanitized data into HTML attributes, potentially leading to XSS attacks.

Reproduction

To reproduce this vulnerability, use a version of the Symfony UX Twig Component library prior to 2.25.1. Render a component that uses `{{ attributes }}` or any method that returns a `ComponentAttributes` instance, such as `only()`, `defaults()`, or `without()`, with unsafe values that include user input. This will result in the injection of unsanitized HTML, which can be verified by checking for the presence of script tags or other injected content in the rendered output.

Remediation

Update the `symfony/ux-twig-component` and `symfony/ux-live-component` packages to version 2.25.1. After updating, ensure that `{{ attributes }}` or derived objects are not rendered directly if they may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes.