[Profiler] Escape template and profile names in HtmlDumper

nicolas-grekas · fabpot · commit a5f6e8793e60 · 2026-05-19T18:54:32.000+02:00
The HtmlDumper output is intended to be rendered in a browser, and the
template and macro/block names it interpolates are loader-controlled
(e.g. the key for ArrayLoader or a database row id), so they can carry
arbitrary HTML when an application stores templates under user-supplied
identifiers.
diff --git a/src/Profiler/Dumper/HtmlDumper.php b/src/Profiler/Dumper/HtmlDumper.php
@@ -32,16 +32,21 @@ public function dump(Profile $profile): string
 
     protected function formatTemplate(Profile $profile, $prefix): string
     {
-        return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate());
+        return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], self::escape($profile->getTemplate()));
     }
 
     protected function formatNonTemplate(Profile $profile, $prefix): string
     {
-        return \sprintf('%s└ %s::%s(<span style="background-color: %s">%s</span>)', $prefix, $profile->getTemplate(), $profile->getType(), self::$colors[$profile->getType()] ?? 'auto', $profile->getName());
+        return \sprintf('%s└ %s::%s(<span style="background-color: %s">%s</span>)', $prefix, self::escape($profile->getTemplate()), $profile->getType(), self::$colors[$profile->getType()] ?? 'auto', self::escape($profile->getName()));
     }
 
     protected function formatTime(Profile $profile, $percent): string
     {
         return \sprintf('<span style="color: %s">%.2fms/%.0f%%</span>', $percent > 20 ? self::$colors['big'] : 'auto', $profile->getDuration() * 1000, $percent);
     }
+
+    private static function escape(string $value): string
+    {
+        return htmlspecialchars($value, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8');
+    }
 }
diff --git a/tests/Profiler/Dumper/HtmlTest.php b/tests/Profiler/Dumper/HtmlTest.php
@@ -21,6 +21,7 @@
  */
 
 use Twig\Profiler\Dumper\HtmlDumper;
+use Twig\Profiler\Profile;
 
 class HtmlTest extends ProfilerTestCase
 {
@@ -39,4 +40,23 @@ public function testDump()
 </pre>
 EOF, $dumper->dump($this->getProfile()));
     }
+
+    public function testDumpEscapesTemplateAndProfileNames()
+    {
+        $root = new Profile('main');
+        $child = new Profile('<img src=x onerror=alert(1)>', Profile::TEMPLATE);
+        $grandchild = new Profile('<img src=x onerror=alert(2)>', Profile::MACRO, '<img src=x onerror=alert(3)>');
+
+        (new \ReflectionProperty($child, 'profiles'))->setValue($child, [$grandchild]);
+        (new \ReflectionProperty($root, 'profiles'))->setValue($root, [$child]);
+
+        $output = (new HtmlDumper())->dump($root);
+
+        $this->assertStringNotContainsString('<img src=x onerror=alert(1)>', $output);
+        $this->assertStringNotContainsString('<img src=x onerror=alert(2)>', $output);
+        $this->assertStringNotContainsString('<img src=x onerror=alert(3)>', $output);
+        $this->assertStringContainsString('&lt;img src=x onerror=alert(1)&gt;', $output);
+        $this->assertStringContainsString('&lt;img src=x onerror=alert(2)&gt;', $output);
+        $this->assertStringContainsString('&lt;img src=x onerror=alert(3)&gt;', $output);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -32,16 +32,21 @@ public function dump(Profile $profile): string`
`32`	`32`
`33`	`33`	`protected function formatTemplate(Profile $profile, $prefix): string`
`34`	`34`	`{`
`35`		`- return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], $profile->getTemplate());`
	`35`	`+ return \sprintf('%s└ <span style="background-color: %s">%s</span>', $prefix, self::$colors['template'], self::escape($profile->getTemplate()));`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`protected function formatNonTemplate(Profile $profile, $prefix): string`
`39`	`39`	`{`
`40`		`- return \sprintf('%s└ %s::%s(<span style="background-color: %s">%s</span>)', $prefix, $profile->getTemplate(), $profile->getType(), self::$colors[$profile->getType()] ?? 'auto', $profile->getName());`
	`40`	`+ return \sprintf('%s└ %s::%s(<span style="background-color: %s">%s</span>)', $prefix, self::escape($profile->getTemplate()), $profile->getType(), self::$colors[$profile->getType()] ?? 'auto', self::escape($profile->getName()));`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`protected function formatTime(Profile $profile, $percent): string`
`44`	`44`	`{`
`45`	`45`	`return \sprintf('<span style="color: %s">%.2fms/%.0f%%</span>', $percent > 20 ? self::$colors['big'] : 'auto', $profile->getDuration() * 1000, $percent);`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ private static function escape(string $value): string`
	`49`	`+ {`
	`50`	`+ return htmlspecialchars($value, \ENT_QUOTES \| \ENT_SUBSTITUTE, 'UTF-8');`
	`51`	`+ }`
`47`	`52`	`}`