N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)
2026-04-24 11:08:45 +02:00 · 2025-08-06 08:54:56 +02:00
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
--- a/lib/symfony/twig-bridge/Extension/CodeExtension.php
+++ b/lib/symfony/twig-bridge/Extension/CodeExtension.php
@@ -96,6 +96,8 @@ final class CodeExtension extends AbstractExtension
                $formattedValue = '<em>'.strtolower(htmlspecialchars(var_export($item[1], true), \ENT_COMPAT | \ENT_SUBSTITUTE, $this->charset)).'</em>';
            } elseif ('resource' === $item[0]) {
                $formattedValue = '<em>resource</em>';
+            } elseif (preg_match('/[^\x07-\x0D\x1B\x20-\xFF]/', $item[1])) {
+                $formattedValue = '<em>binary string</em>';
            } else {
                $formattedValue = str_replace("\n", '', htmlspecialchars(var_export($item[1], true), \ENT_COMPAT | \ENT_SUBSTITUTE, $this->charset));
            }
@@ -126,10 +128,10 @@ final class CodeExtension extends AbstractExtension
            if (\PHP_VERSION_ID >= 80300) {
                // remove main pre/code tags
                $code = preg_replace('#^<pre.*?>\s*<code.*?>(.*)</code>\s*</pre>#s', '\\1', $code);
-                // split multiline code tags
-                $code = preg_replace_callback('#<code ([^>]++)>((?:[^<]*+\\n)++[^<]*+)</code>#', fn ($m) => "<code $m[1]>".str_replace("\n", "</code>\n<code $m[1]>", $m[2]).'</code>', $code);
-                // Convert spaces to html entities to preserve indentation when rendered
-                $code = str_replace(' ', '&nbsp;', $code);
+                // split multiline span tags
+                $code = preg_replace_callback('#<span ([^>]++)>((?:[^<\\n]*+\\n)++[^<]*+)</span>#', function ($m) {
+                    return "<span $m[1]>".str_replace("\n", "</span>\n<span $m[1]>", $m[2]).'</span>';
+                }, $code);
                $content = explode("\n", $code);
            } else {
                // remove main code/span tags
@@ -157,7 +159,7 @@ final class CodeExtension extends AbstractExtension
    /**
     * Formats a file path.
     */
-    public function formatFile(string $file, int $line, string $text = null): string
+    public function formatFile(string $file, int $line, ?string $text = null): string
    {
        $file = trim($file);