Listen to this Post
The vulnerability exists because Twig’s `spaceless` filter is registered with the `is_safe => [‘html’]` flag. This flag tells Twig’s auto-escaping mechanism that the filter’s output is already safe for HTML, so the engine does not escape it—even when `autoescape` is enabled and the developer never used |raw. When an attacker can control the input passed to spaceless, they can inject arbitrary HTML/JavaScript tags. For example:
`{% set payload = ‘‘ %}`
`{{ payload }}` → escaped, safe.
`{{ payload|spaceless }}` → unescaped, executes script.
The filter is deprecated but remains functional. Downstream projects like Drupal modules have copied the filter and inherited the unsafe `is_safe` flag.
The fix removes the `is_safe => [‘html’]` flag from spaceless, so its output is now escaped by default. Documentation now warns against applying `spaceless` to unsanitized user input.
dailycve form
Platform: Twig
Version: <2.14.11,<3.3.8
Vulnerability: Autoescaping bypass XSS
Severity: Medium
Date: 2026-05-21
Prediction: Already patched Nov2021
What Undercode Say:
Test if a Twig instance is vulnerable php -r "echo (version_compare(Twig\Environment::VERSION, '2.14.11', '<') && version_compare(Twig\Environment::VERSION, '3.3.8', '<')) ? 'VULNERABLE' : 'PATCHED';" Check Drupal modules that duplicated the filter grep -r "spaceless" modules/custom/ --include=".php" | grep "is_safe"
Exploit:
Attacker supplies `{{ ‘‘|spaceless }}` via any field that passes user input to a Twig template using the `spaceless` filter. The browser executes the JavaScript because the output is not escaped.
Protection from this CVE
Upgrade Twig to `2.14.11+` or 3.3.8+. If patching impossible, avoid applying `spaceless` to user-controlled content. Remove `is_safe => [‘html’]` from any custom copy of the filter in downstream projects.
Impact
Stored or reflected XSS leading to session hijacking, data theft, or defacement in any application that renders attacker-controlled strings through the `spaceless` filter while autoescape is on.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

