Avoiding an XSS Loophole in Twig
Cross-site-scripting, or XSS, is a class of web application vulnerabilities. When an attacker is able to inject a code snippet of choice into a web page and have it treated as HTML, JavaScript or similar, they gain vast freedom to perform actions on behalf of the users to which that code is displayed. The Twig template engine comes with an „autoescape“ feature that will prevent many XSS attack vectors by default. Yet, you still need to be aware of potential pitfalls. In this blog post, I‘ll cover one example.