Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom file_excerpt filter. This filter renders PHP files via highlight_string() (which escapes HTML), but renders non-PHP files by splitting on \n and interpolating each line directly into <code>{$line}</code> with no escaping. An attacker who can write arbitrary bytes into any file under the project root (including e.g. var/log/dev.log), achieves stored XSS against any developer who …