security #cve-2025-47946 [TwigComponent] Add HtmlAttributeEscaper to fix component attributes escaping in HTML syntax (smnandre)

This PR was merged into the ux-2.x branch.

Author: nicolas-grekas

src/LiveComponent/composer.json

@@ -31,8 +31,8 @@
         "symfony/property-access": "^5.4.5|^6.0|^7.0",
         "symfony/property-info": "^5.4|^6.0|^7.0",
         "symfony/stimulus-bundle": "^2.9",
-        "symfony/ux-twig-component": "^2.8",
-        "twig/twig": "^3.8.0"
+        "symfony/ux-twig-component": "^2.25",
+        "twig/twig": "^3.10.3"
     },
     "require-dev": {
         "doctrine/annotations": "^1.0",

src/LiveComponent/src/DependencyInjection/LiveComponentExtension.php

@@ -15,6 +15,7 @@
 use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
+use Symfony\Component\DependencyInjection\Argument\AbstractArgument;
 use Symfony\Component\DependencyInjection\Argument\TaggedIteratorArgument;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
@@ -109,6 +110,7 @@ function (ChildDefinition $definition, AsLiveComponent $attribute) {
                 new Reference('ux.live_component.metadata_factory'),
                 new Reference('serializer', ContainerInterface::NULL_ON_INVALID_REFERENCE),
                 $config['secret'], // defaults to '%kernel.secret%'
+                new Reference('ux.twig_component.component_attributes_factory'),
             ])
         ;
 
@@ -156,6 +158,7 @@ function (ChildDefinition $definition, AsLiveComponent $attribute) {
             ->setArguments([
                 new Reference('ux.live_component.fingerprint_calculator'),
                 new Reference('ux.live_component.attribute_helper_factory'),
+                new Reference('ux.twig_component.component_attributes_factory'),
             ])
             ->addTag('container.service_subscriber', ['key' => ComponentFactory::class, 'id' => 'ux.twig_component.component_factory'])
             ->addTag('container.service_subscriber', ['key' => LiveComponentMetadataFactory::class, 'id' => 'ux.live_component.metadata_factory'])
@@ -197,8 +200,7 @@ function (ChildDefinition $definition, AsLiveComponent $attribute) {
             ->addTag('container.service_subscriber', ['key' => 'validator', 'id' => 'validator'])
         ;
 
-        $container->register('ux.live_component.attribute_helper_factory', TwigAttributeHelperFactory::class)
-            ->setArguments([new Reference('twig')]);
+        $container->register('ux.live_component.attribute_helper_factory', TwigAttributeHelperFactory::class);
 
         $container->register('ux.live_component.live_controller_attributes_creator', LiveControllerAttributesCreator::class)
             ->setArguments([
@@ -217,6 +219,7 @@ function (ChildDefinition $definition, AsLiveComponent $attribute) {
             ->setArguments([
                 new Reference('ux.twig_component.component_stack'),
                 new Reference('ux.live_component.twig.template_mapper'),
+                new Reference('ux.twig_component.component_attributes_factory'),
             ])
             ->addTag('kernel.event_subscriber')
             ->addTag('container.service_subscriber', ['key' => LiveControllerAttributesCreator::class, 'id' => 'ux.live_component.live_controller_attributes_creator'])

src/LiveComponent/src/EventListener/AddLiveAttributesSubscriber.php

@@ -17,6 +17,7 @@
 use Symfony\UX\LiveComponent\Twig\TemplateMap;
 use Symfony\UX\LiveComponent\Util\LiveControllerAttributesCreator;
 use Symfony\UX\TwigComponent\ComponentAttributes;
+use Symfony\UX\TwigComponent\ComponentAttributesFactory;
 use Symfony\UX\TwigComponent\ComponentMetadata;
 use Symfony\UX\TwigComponent\ComponentStack;
 use Symfony\UX\TwigComponent\Event\PreRenderEvent;
@@ -36,6 +37,7 @@ final class AddLiveAttributesSubscriber implements EventSubscriberInterface, Ser
     public function __construct(
         private ComponentStack $componentStack,
         private TemplateMap $templateMap,
+        private readonly ComponentAttributesFactory $componentAttributesFactory,
         private ContainerInterface $container,
     ) {
     }
@@ -105,6 +107,6 @@ private function getLiveAttributes(MountedComponent $mounted, ComponentMetadata
             $this->componentStack->hasParentComponent()
         );
 
-        return new ComponentAttributes($attributesCollection->toEscapedArray());
+        return $this->componentAttributesFactory->create($attributesCollection->toArray());
     }
 }

src/LiveComponent/src/LiveComponentHydrator.php

@@ -32,6 +32,7 @@
 use Symfony\UX\LiveComponent\Metadata\LivePropMetadata;
 use Symfony\UX\LiveComponent\Util\DehydratedProps;
 use Symfony\UX\TwigComponent\ComponentAttributes;
+use Symfony\UX\TwigComponent\ComponentAttributesFactory;
 
 /**
  * @author Kevin Bond <[email protected]>
@@ -52,6 +53,7 @@ public function __construct(
         private LiveComponentMetadataFactory $liveComponentMetadataFactory,
         private NormalizerInterface|DenormalizerInterface|null $serializer,
         #[\SensitiveParameter] private string $secret,
+        private readonly ComponentAttributesFactory $componentAttributesFactory,
     ) {
         if (!$secret) {
             throw new \InvalidArgumentException('A non-empty secret is required.');
@@ -144,7 +146,7 @@ public function hydrate(object $component, array $props, array $updatedProps, Li
         $dehydratedOriginalProps = $this->combineAndValidateProps($props, $updatedPropsFromParent);
         $dehydratedUpdatedProps = DehydratedProps::createFromUpdatedArray($updatedProps);
 
-        $attributes = new ComponentAttributes($dehydratedOriginalProps->getPropValue(self::ATTRIBUTES_KEY, []));
+        $attributes = $this->componentAttributesFactory->create($dehydratedOriginalProps->getPropValue(self::ATTRIBUTES_KEY, []));
         $dehydratedOriginalProps->removePropValue(self::ATTRIBUTES_KEY);
 
         $needProcessOnUpdatedHooks = [];

src/LiveComponent/src/Util/ChildComponentPartialRenderer.php

@@ -15,6 +15,7 @@
 use Symfony\Contracts\Service\ServiceSubscriberInterface;
 use Symfony\UX\LiveComponent\LiveComponentHydrator;
 use Symfony\UX\LiveComponent\Metadata\LiveComponentMetadataFactory;
+use Symfony\UX\TwigComponent\ComponentAttributesFactory;
 use Symfony\UX\TwigComponent\ComponentFactory;
 
 /**
@@ -27,6 +28,7 @@ class ChildComponentPartialRenderer implements ServiceSubscriberInterface
     public function __construct(
         private FingerprintCalculator $fingerprintCalculator,
         private TwigAttributeHelperFactory $attributeHelperFactory,
+        private ComponentAttributesFactory $componentAttributesFactory,
         private ContainerInterface $container,
     ) {
     }
@@ -43,7 +45,7 @@ public function renderChildComponent(string $deterministicId, string $currentPro
             $attributesCollection = $this->attributeHelperFactory->create();
             $attributesCollection->setLiveId($deterministicId);
 
-            return $this->createHtml($attributesCollection->toEscapedArray(), $childTag);
+            return $this->createHtml($attributesCollection->toArray(), $childTag);
         }
 
         /*
@@ -68,7 +70,7 @@ public function renderChildComponent(string $deterministicId, string $currentPro
         $readonlyDehydratedProps = $this->getLiveComponentHydrator()->addChecksumToData($readonlyDehydratedProps);
 
         $attributesCollection->setPropsUpdatedFromParent($readonlyDehydratedProps);
-        $attributes = $attributesCollection->toEscapedArray();
+        $attributes = $attributesCollection->toArray();
         // optional, but these just aren't needed by the frontend at this point
         unset($attributes['data-controller']);
         unset($attributes['data-live-url-value']);
@@ -82,13 +84,10 @@ public function renderChildComponent(string $deterministicId, string $currentPro
      */
     private function createHtml(array $attributes, string $childTag): string
     {
-        // transform attributes into an array of key="value" strings
-        $attributes = array_map(function ($key, $value) {
-            return \sprintf('%s="%s"', $key, $value);
-        }, array_keys($attributes), $attributes);
-        $attributes[] = 'data-live-preserve="true"';
+        $attributes['data-live-preserve'] = true;
+        $attributes = $this->componentAttributesFactory->create($attributes);
 
-        return \sprintf('<%s %s></%s>', $childTag, implode(' ', $attributes), $childTag);
+        return \sprintf('<%s%s></%s>', $childTag, $attributes, $childTag);
     }
 
     public static function getSubscribedServices(): array

src/LiveComponent/src/Util/LiveAttributesCollection.php

@@ -16,30 +16,26 @@
 use Twig\Runtime\EscaperRuntime;
 
 /**
- * An array of attributes that can eventually be returned as an escaped array.
+ * A collection of HTML attributes useful for LiveComponent.
  *
  * @internal
  */
 final class LiveAttributesCollection
 {
     private array $attributes = [];
 
-    public function __construct(private Environment $twig)
+    public function toArray(): array
     {
-    }
-
-    public function toEscapedArray(): array
-    {
-        $escaped = [];
+        $result = [];
         foreach ($this->attributes as $key => $value) {
             if (\is_array($value)) {
                 $value = JsonUtil::encodeObject($value);
             }
 
-            $escaped[$key] = $this->escapeAttribute($value);
+            $result[$key] = $value;
         }
 
-        return $escaped;
+        return $result;
     }
 
     public function setLiveController(string $componentName): void
@@ -107,18 +103,4 @@ public function setQueryUrlMapping(array $queryUrlMapping): void
     {
         $this->attributes['data-live-query-mapping-value'] = $queryUrlMapping;
     }
-
-    private function escapeAttribute(string $value): string
-    {
-        if (class_exists(EscaperRuntime::class)) {
-            return $this->twig->getRuntime(EscaperRuntime::class)->escape($value, 'html_attr');
-        }
-
-        if (method_exists(EscaperExtension::class, 'escape')) {
-            return EscaperExtension::escape($this->twig, $value, 'html_attr');
-        }
-
-        // since twig/twig 3.9.0: Using the internal "twig_escape_filter" function is deprecated.
-        return (string) twig_escape_filter($this->twig, $value, 'html_attr');
-    }
 }

src/LiveComponent/src/Util/TwigAttributeHelperFactory.php

@@ -20,12 +20,12 @@
  */
 final class TwigAttributeHelperFactory
 {
-    public function __construct(private Environment $twig)
+    public function __construct()
     {
     }
 
     public function create(): LiveAttributesCollection
     {
-        return new LiveAttributesCollection($this->twig);
+        return new LiveAttributesCollection();
     }
 }

src/LiveComponent/tests/Functional/EventListener/InterceptChildComponentRenderSubscriberTest.php

@@ -89,16 +89,16 @@ public function testItRendersNewPropWhenFingerprintDoesNotMatch(): void
                 // 1st renders empty
                 // fingerprint changed in 2nd & 3rd, so it renders new fingerprint + props
                 $this->assertStringContainsString(\sprintf(
-                    '<li id="%s0" data-live-preserve="true"></li>',
+                    '<li id="%s0" data-live-preserve></li>',
                     AddLiveAttributesSubscriberTest::TODO_ITEM_DETERMINISTIC_PREFIX
                 ), $content);
                 // new props are JUST the "textLength" + a checksum for it specifically
                 $this->assertStringContainsString(\sprintf(
-                    '<li data-live-name-value="todo_item" id="%s0" data-live-fingerprint-value="sMvvf7q68tz&#x2F;Cuk&#x2B;vDeisDiq&#x2B;7YPWzT&#x2B;WZFzI37dGHY&#x3D;" data-live-props-updated-from-parent-value="&#x7B;&quot;textLength&quot;&#x3A;18,&quot;&#x40;checksum&quot;&#x3A;&quot;LGxXa9fMKrJ6PelkUPfqmdwnfkk&#x2B;LORgoJHXyPpS3Pw&#x3D;&quot;&#x7D;" data-live-preserve="true"></li>',
+                    '<li data-live-name-value="todo_item" id="%s0" data-live-fingerprint-value="sMvvf7q68tz/Cuk+vDeisDiq+7YPWzT+WZFzI37dGHY=" data-live-props-updated-from-parent-value="{&quot;textLength&quot;:18,&quot;@checksum&quot;:&quot;LGxXa9fMKrJ6PelkUPfqmdwnfkk+LORgoJHXyPpS3Pw=&quot;}" data-live-preserve></li>',
                     AddLiveAttributesSubscriberTest::TODO_ITEM_DETERMINISTIC_PREFIX_EMBEDDED
                 ), $content);
                 $this->assertStringContainsString(\sprintf(
-                    '<li data-live-name-value="todo_item" id="%s1" data-live-fingerprint-value="8AooEz36WYQyxj54BCaDm&#x2F;jKbcdDdPDLaNO4&#x2F;49bcQk&#x3D;" data-live-props-updated-from-parent-value="&#x7B;&quot;textLength&quot;&#x3A;10,&quot;&#x40;checksum&quot;&#x3A;&quot;BXUk7q6LI&#x5C;&#x2F;6Qx3c62Xiui6287YndmoK3QmVq6e5mcGk&#x3D;&quot;&#x7D;" data-live-preserve="true"></li>',
+                    '<li data-live-name-value="todo_item" id="%s1" data-live-fingerprint-value="8AooEz36WYQyxj54BCaDm/jKbcdDdPDLaNO4/49bcQk=" data-live-props-updated-from-parent-value="{&quot;textLength&quot;:10,&quot;@checksum&quot;:&quot;BXUk7q6LI\/6Qx3c62Xiui6287YndmoK3QmVq6e5mcGk=&quot;}" data-live-preserve></li>',
                     AddLiveAttributesSubscriberTest::TODO_ITEM_DETERMINISTIC_PREFIX
                 ), $content);
             });
@@ -132,7 +132,7 @@ public function testItUsesKeysToRenderChildrenLiveIds(): void
             ->assertContains('id="live-521026374-the-key0"')
             ->assertNotContains('key="the-key0"')
             ->visit($urlWithChangedFingerprints)
-            ->assertContains('<li id="live-521026374-the-key0" data-live-preserve="true"></li>')
+            ->assertContains('<li id="live-521026374-the-key0" data-live-preserve></li>')
             // this one is changed, so it renders a full element
             ->assertContains('<li data-live-name-value="todo_item" id="live-4172682817-the-key1"')
         ;

src/LiveComponent/tests/Integration/LiveComponentHydratorTest.php

@@ -43,6 +43,7 @@
 use Symfony\UX\LiveComponent\Tests\Fixtures\Enum\ZeroIntEnum;
 use Symfony\UX\LiveComponent\Tests\LiveComponentTestHelper;
 use Symfony\UX\TwigComponent\ComponentAttributes;
+use Symfony\UX\TwigComponent\ComponentAttributesFactory;
 use Symfony\UX\TwigComponent\ComponentMetadata;
 use Zenstruck\Foundry\Test\Factories;
 use Zenstruck\Foundry\Test\ResetDatabase;
@@ -75,6 +76,9 @@ private function executeHydrationTestCase(callable $testFactory, ?int $minPhpVer
         $metadataFactory = self::getContainer()->get('ux.live_component.metadata_factory');
         \assert($metadataFactory instanceof LiveComponentMetadataFactory);
         $testCase = $testBuilder->getTest($metadataFactory);
+        
+        $componentAttributesFactory = self::getContainer()->get('ux.twig_component.component_attributes_factory');
+        \assert($componentAttributesFactory instanceof ComponentAttributesFactory);
 
         // keep a copy of the original, empty component object for hydration later
         $originalComponentWithData = clone $testCase->component;
@@ -90,7 +94,7 @@ private function executeHydrationTestCase(callable $testFactory, ?int $minPhpVer
 
         $dehydratedProps = $this->hydrator()->dehydrate(
             $originalComponentWithData,
-            new ComponentAttributes([]), // not worried about testing these here
+            $componentAttributesFactory->create([]), // not worried about testing these here
             $liveMetadata,
         );
 
@@ -132,7 +136,7 @@ private function executeHydrationTestCase(callable $testFactory, ?int $minPhpVer
 
         $dehydratedProps2 = $this->hydrator()->dehydrate(
             $componentAfterHydration,
-            new ComponentAttributes([]), // not worried about testing these here
+            $componentAttributesFactory->create(),
             $liveMetadata,
         );
         $this->hydrator()->hydrate(
@@ -1449,7 +1453,7 @@ public function __construct()
 
         $dehydratedProps = $this->hydrator()->dehydrate(
             $component,
-            new ComponentAttributes([]),
+            $this->createComponentAttributes(),
             $this->createLiveMetadata($component)
         );
 
@@ -1498,7 +1502,7 @@ public function testInterfaceTypedLivePropCannotBeDehydrated(): void
         $this->expectExceptionMessageMatches('/Cannot dehydrate value typed as interface "Symfony\UX\LiveComponent\Tests\Fixtures\Dto\SimpleDtoInterface" on component ');
         $this->expectExceptionMessageMatches('/ Change this to a concrete type that can be dehydrated/');
 
-        $this->hydrator()->dehydrate($component, new ComponentAttributes([]), $this->createLiveMetadata($component));
+        $this->hydrator()->dehydrate($component, $this->createComponentAttributes(), $this->createLiveMetadata($component));
     }
 
     /**
@@ -1634,7 +1638,7 @@ public function testHydrationTakeUpdatedParentPropsIntoAccount(): void
         $liveMetadata = $this->createLiveMetadata($component);
         $dehydrated = $this->hydrator()->dehydrate(
             $component,
-            new ComponentAttributes([]),
+            $this->createComponentAttributes(),
             $liveMetadata
         );
         $updatedFromParentData = ['shouldUppercase' => true];
@@ -1665,7 +1669,7 @@ public function testHydrationWithUpdatesParentPropsAndBadChecksumFails(): void
         $liveMetadata = $this->createLiveMetadata($component);
         $dehydrated = $this->hydrator()->dehydrate(
             $component,
-            new ComponentAttributes([]),
+            $this->createComponentAttributes(),
             $liveMetadata
         );
         $updatedFromParentData = ['name' => 'Kevin'];
@@ -1820,6 +1824,14 @@ public static function falseyValueProvider(): iterable
         yield ['nullableBool', '', null];
         yield 'fooey-o-booey-todo' => ['nullableBool', '   ', null];
     }
+    
+    private function createComponentAttributes(array $attributes = []): ComponentAttributes
+    {
+        $factory = self::getContainer()->get('ux.twig_component.component_attributes_factory');
+        \assert($factory instanceof ComponentAttributesFactory);
+        
+        return $factory->create($attributes);
+    }  
 
     private function createLiveMetadata(object $component): LiveComponentMetadata
     {

src/LiveComponent/tests/Unit/LiveComponentHydratorTest.php

@@ -20,6 +20,8 @@
 use Symfony\UX\LiveComponent\LiveComponentHydrator;
 use Symfony\UX\LiveComponent\Metadata\LiveComponentMetadataFactory;
 use Symfony\UX\LiveComponent\Metadata\LivePropMetadata;
+use Symfony\UX\TwigComponent\ComponentAttributesFactory;
+use Twig\Environment;
 
 final class LiveComponentHydratorTest extends TestCase
 {
@@ -34,6 +36,7 @@ public function testConstructWithEmptySecret(): void
             $this->createMock(LiveComponentMetadataFactory::class),
             $this->createMock(NormalizerInterface::class),
             '',
+            new ComponentAttributesFactory($this->createMock(Environment::class)),
         );
     }
 
@@ -45,6 +48,7 @@ public function testItCanHydrateWithNullValues()
             $this->createMock(LiveComponentMetadataFactory::class),
             new Serializer(normalizers: [new ObjectNormalizer()]),
             'foo',
+            new ComponentAttributesFactory($this->createMock(Environment::class)),
         );
 
         $hydratedValue = $hydrator->hydrateValue(