Affected versions
Symfony versions >=2.8.0, <2.36.0, >=3.0.0, <3.1.0 of the Symfony UX Live Component component are affected by this security issue.
The issue has been fixed in Symfony 2.36.0, 3.1.0.
Description
Symfony
interpolates the $childTag argument directly into the HTML output as a tag
name, without escaping or validation. The value originates from
client-controlled JSON (children[id].tag) parsed by
LiveComponentSubscriber and propagated through
InterceptChildComponentRenderSubscriber, so an attacker who can reach the
Live Component endpoint can inject arbitrary HTML, including <script> tags,
on any re-render of a Live Component that contains at least one child
component.
In the default configuration, the Live Component endpoint is gated by an
Accept: application/vnd.live-component+html request-header check that
cannot be set cross-origin without a CORS preflight, so the issue is primarily
a defense-in-depth gap. It becomes directly exploitable on applications that
have relaxed CORS to allow this header from untrusted origins, or that have
been pivoted from another same-origin XSS.
Resolution
ChildComponentPartialRenderer now validates $childTag against a strict
HTML tag-name regex before interpolating it, and rejects any value that
doesn't match. Anything that wouldn't be a valid HTML tag is dropped before
reaching the response.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
We would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.