bug symfony#21387 Fix double escaping of the decision attributes in the profiler (stof)

nicolas-grekas · nicolas-grekas · commit 2cf8452dffae · 2017-01-24T11:21:58.000+01:00
This PR was merged into the 3.2 branch. Discussion ---------- Fix double escaping of the decision attributes in the profiler | Q | A | ------------- | --- | Branch? | 3.2 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony#21384 | License | MIT | Doc PR | n/a A ternary operator is considered safe by the Twig auto-escaping only when both branches are safe. But this ternary was safe only in the ELSE branch, causing it to be unsafe. This triggered a double-escaping of the value (escaping the output of the dump). The fix is to use a {% if %} and 2 separate output statements, allowing them to be auto-escaped separately. Commits ------- bc1f084 Fix double escaping of the decision attributes in the profiler
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig b/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
@@ -257,7 +257,13 @@
                                 : '<span class="label status-error same-width">DENIED</span>'
                             }}
                         </td>
-                        <td>{{ decision.attributes|length == 1 ? decision.attributes|first : profiler_dump(decision.attributes) }}</td>
+                        <td>
+                            {% if decision.attributes|length == 1 %}
+                                {{ decision.attributes|first }}
+                            {% else %}
+                                {{ profiler_dump(decision.attributes) }}
+                            {% endif %}
+                        </td>
                         <td>{{ profiler_dump(decision.object) }}</td>
                     </tr>
                 {% endfor %}
