HTML Entities in Symfony Twig

Question

I´m currently working on a code review of a friend and I found an XSS-Vulnerability I´d like to understand properly:

Lets say i I have a Variable foo.bar with the input <h1>test</h1>

I now figured out this pattern:

{{foo.bar}} -> no XSS

{% trans with { '%var%': foo.bar } %} My "%var%" {% endtrans %} -> XSS 

{% trans with { '%var%': foo.bar | e('html') } %} My "%var%" {% endtrans %}  -> no XSS

I thought I´ll run a Regex Pattern trough his whole code to find potential other places for bad encoding of HTML Character, but I did not quite understand when twig is encoding HTML tags and when not. I do understand the "e" (Encoding) function which decodes my variable value in html entities, but why is {{foo.bar}} encoding the characters while {% trans with ... is not?

I would search with this pattern for Coding mistakes in Twig:

Regex: 
'\{%(.){0,2}[trans](.){0,2}[with].*'

-> Searching for "{%[space?]trans[space?] with"

as I guess everytime he missed the |e('html') there might be an issue. Am I on the right track? Do I miss something??

I hope i can find more clarification on this topic here :)

Answer 1

Twig always escapes but "trans with" is part of symfony and not twig. It is not autoescaped because it is passed to a tag, and the tag may output it but that is not a certainty so this is why they refuse to autoescape.

I personally always use the |trans() filter instead so by default you know you are safe, you can still ofcourse use |raw if needed.

https://symfony.com/doc/current/translation/templates.html

Using the translation tags or filters have the same effect, but with one subtle difference: automatic output escaping is only applied to translations using a filter. In other words, if you need to be sure that your translated message is not output escaped, you must apply the raw filter after the translation filter: