symfony/ux-autocomplete: XSS via unescaped AJAX response data
Description
Description
The Stimulus controller shipped with symfony/ux-autocomplete renders AJAX response items into the dropdown by interpolating the text field directly into HTML template literals (${item[labelField]}) inside _createAutocompleteWithRemoteData(). The value is parsed as HTML rather than text, so any markup contained in the AJAX response is executed by the browser.
When the dropdown values are derived from user-supplied content, an attacker can craft a string that triggers stored XSS in the browser of any other user who later opens a page containing an autocomplete widget backed by the same data.
Resolution
The option and item renderers used in _createAutocompleteWithRemoteData() now use TomSelect's escape helper to HTML-escape the value by default. Endpoints that legitimately return HTML (for example, to highlight the search term) can opt back in to the previous behavior by setting options_as_html: true. The AutocompleteChoiceTypeExtension normalizer that previously forced options_as_html=false when autocomplete_url was set has been dropped so the opt-in is reachable from the form layer.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Alex Ashkov for reporting the issue and Hugo Alliaume for providing the fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=2.x
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping in the Stimulus controller's AJAX response renderers allows stored XSS via the `text` field of autocomplete dropdown items."
Attack vector
An attacker supplies user-controlled content that is stored in the data source backing an autocomplete widget. When another user opens a page containing that autocomplete field, the AJAX endpoint returns the attacker's payload in the `text` field of the JSON response. The Stimulus controller renders this value via `<div>${item[labelField]}</div>` without HTML escaping, causing the browser to execute the injected markup [ref_id=2]. This is a stored cross-site scripting (XSS) attack [CWE-79].
Affected code
The vulnerability is in `src/Autocomplete/assets/src/controller.ts` in the `_createAutocompleteWithRemoteData()` method, specifically the `option` and `item` renderers that interpolate `item[labelField]` directly into HTML template literals without escaping [patch_id=6625358]. The `AutocompleteChoiceTypeExtension` normalizer in `src/Autocomplete/src/Form/AutocompleteChoiceTypeExtension.php` previously forced `options_as_html=false` when `autocomplete_url` was set, preventing users from opting into HTML rendering [patch_id=6625358].
What the fix does
The patch modifies the `option` and `item` renderers in `controller.ts` to use TomSelect's `escape` helper by default, HTML-escaping the `item[labelField]` value [patch_id=6625358]. When `optionsAsHtmlValue` is `true`, the raw value is still interpolated, preserving backward compatibility for endpoints that intentionally return HTML. The normalizer in `AutocompleteChoiceTypeExtension.php` that unconditionally forced `options_as_html=false` when `autocomplete_url` was set has been removed, making the opt-in actually reachable from the form layer [patch_id=6625358].
Preconditions
- configThe autocomplete widget must be AJAX-powered (i.e., use `data-autocomplete-url-value` or `autocomplete_url`).
- inputThe AJAX endpoint must return user-supplied or user-influenced content in the `text` field of the JSON response.
- inputThe victim must interact with the autocomplete field (e.g., click or type) to trigger the dropdown rendering.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.