Affected versions
Symfony UX symfony/ux-live-component and symfony/ux-twig-component versions <2.25.1 are affected by this security issue.
The issue has been fixed in the 2.25.1 version of these packages.
Description
Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities.
Resolution
The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig's EscaperRuntime to properly escape HTML attributes in ComponentAttributs. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally.
Credits
We would like to thank Martin Hložek and Dimitar Raichev for reporting the issue and Simon André for providing the fix.