Twig XSS protection disabled

php.twig_xss_protection_disabled

Severity

high

Resource

Misconfiguration

Language

Php

Description

Twig HTML escaping disabled.

Rationale

Cross-Site Scripting (XSS) is a vulnerability that occurs when an application includes untrusted data in a web page without proper validation or escaping.

In Twig, XSS protection is primarily provided by the auto-escaping feature. Disabling auto-escaping increases the risk of introducing XSS vulnerabilities, as it requires developers to manually ensure all output is safe, which is error-prone.

twig:
    auto_reload: '%kernel.debug%'
    autoescape: false # FLAW: Disables auto-escaping, increasing XSS risk
    base_template_class: 'Twig_Template'
    cache: '%kernel.cache_dir%/twig'
    charset: '%kernel.charset%'
    debug: '%kernel.debug%'
    strict_variables: false

<container xmlns="http://symfony.com/schema/dic/services"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:twig="http://symfony.com/schema/dic/twig"
           xsi:schemaLocation="
               http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
               http://symfony.com/schema/dic/twig http://symfony.com/schema/dic/twig/twig-1.0.xsd">

    <!-- FLAW: Auto-escaping disabled, increasing XSS risk -->
    <twig:config auto-reload="%kernel.debug%"
                 autoescape="false"
                 base-template-class="Twig_Template"
                 cache="%kernel.cache_dir%/twig"
                 charset="%kernel.charset%"
                 debug="%kernel.debug%"
                 strict-variables="false">
    </twig:config>
</container>

Remediation

To effectively address XSS vulnerabilities when using Twig do not disable the autoescape setting.

References

https://cwe.mitre.org/data/definitions/80.html