Affected versions
Twig versions <3.26.0 of the Twig Cssinliner Extra and Twig Markdown Extra components are affected by this security issue.
The issue has been fixed in Twig 3.26.0.
Description
Several filters in the twig/* extras packages are registered with
is_safe => ['all'], which tells Twig's autoescaper to treat their
output as safe in every context (html, js, css, url, ...).
The output of these filters is plain text or HTML markup, neither of which
is safe in every escaping context.
Affected filters:
html_to_markdown(twig/markdown-extra) emits plain Markdown text.league/html-to-markdowndecodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled<code><img src=x onerror=alert(1)></code>becomes a Markdown code span containing the live HTML markup, which renders live when interpolated into an HTML page.markdown_to_html(twig/markdown-extra) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline<script>block).inline_css(twig/cssinliner-extra) emits HTML with inlined styles. Same constraint asmarkdown_to_html.
In all three cases, is_safe => ['all'] causes the autoescaper to emit
the output verbatim in any context, even when the developer never wrote
|raw. In a context such as a JS string or a URL parameter, this
produces unescaped HTML and is exploitable as XSS.
Resolution
html_to_markdownno longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.markdown_to_htmlandinline_cssare now declaredis_safe => ['html'], asserting only what they actually guarantee.
Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for
reporting the issue and providing the fix for html_to_markdown and
markdown_to_html in twig/markdown-extra, and Christophe Coevoet for
extending the audit to inline_css in twig/cssinliner-extra.