N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)
2026-04-26 03:58:45 +02:00 · 2025-08-06 08:54:56 +02:00
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
--- a/lib/symfony/web-profiler-bundle/Resources/views/Profiler/base_js.html.twig
+++ b/lib/symfony/web-profiler-bundle/Resources/views/Profiler/base_js.html.twig
@@ -75,7 +75,7 @@
                    }

                    tab.addEventListener('click', function(e) {
-                        const activeTab = e.target || e.srcElement;
+                        let activeTab = e.target || e.srcElement;

                        /* needed because when the tab contains HTML contents, user can click */
                        /* on any of those elements instead of their parent '<button>' element */
@@ -122,6 +122,12 @@
                }

                toggle.addEventListener('click', (e) => {
+                    const toggle = e.currentTarget;
+
+                    if (e.target.closest('a, .sf-toggle') !== toggle) {
+                        return;
+                    }
+
                    e.preventDefault();

                    if ('' !== window.getSelection().toString()) {
@@ -129,9 +135,6 @@
                        return;
                    }

-                    /* needed because when the toggle contains HTML contents, user can click */
-                    /* on any of those elements instead of their parent '.sf-toggle' element */
-                    const toggle = e.target.closest('.sf-toggle');
                    const element = document.querySelector(toggle.getAttribute('data-toggle-selector'));

                    toggle.classList.toggle('sf-toggle-on');
@@ -154,14 +157,6 @@
                    toggle.innerHTML = currentContent !== altContent ? altContent : originalContent;
                });

-                /* Prevents from disallowing clicks on links inside toggles */
-                const toggleLinks = toggle.querySelectorAll('a');
-                toggleLinks.forEach((toggleLink) => {
-                    toggleLink.addEventListener('click', (e) => {
-                        e.stopPropagation();
-                    });
-                });
-
                toggle.setAttribute('data-processed', 'true');
            });
        }