From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Tue, 16 Apr 2019 11:41:32 +0200
Subject: security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in
 the form theme of the PHP templating engine (stof)

This PR was merged into the 2.8 branch.

Discussion
----------

[FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine

Based on #88

Commits
-------

f7c95b4cd5 Fix XSS issues in the form theme of the PHP templating engine

Origin: upstream, https://github.com/symfony/symfony/commit/41e9ec3e04e824dbf218dda3bf6dcf7689d6d33c
---
 .../Resources/views/Form/choice_widget_collapsed.html.php             | 2 +-
 .../Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php  | 2 +-
 .../Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php   | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php
index 92298cf..c6d8334 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php
@@ -11,7 +11,7 @@
     <?php if (count($preferred_choices) > 0): ?>
         <?php echo $view['form']->block($form, 'choice_widget_options', array('choices' => $preferred_choices)) ?>
         <?php if (count($choices) > 0 && null !== $separator): ?>
-            <option disabled="disabled"><?php echo $separator ?></option>
+            <option disabled="disabled"><?php echo $view->escape($separator) ?></option>
         <?php endif ?>
     <?php endif ?>
     <?php echo $view['form']->block($form, 'choice_widget_options', array('choices' => $choices)) ?>
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php
index 77c60d7..d97179e 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php
@@ -1,7 +1,7 @@
 <?php if (count($errors) > 0): ?>
     <ul>
         <?php foreach ($errors as $error): ?>
-            <li><?php echo $error->getMessage() ?></li>
+            <li><?php echo $view->escape($error->getMessage()) ?></li>
         <?php endforeach; ?>
     </ul>
 <?php endif ?>
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php
index ba2f3a4..7e24425 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php
@@ -1,6 +1,6 @@
 <?php $method = strtoupper($method) ?>
 <?php $form_method = $method === 'GET' || $method === 'POST' ? $method : 'POST' ?>
-<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $action ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
+<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $view->escape($action) ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
 <?php if ($form_method !== $method): ?>
-    <input type="hidden" name="_method" value="<?php echo $method ?>" />
+    <input type="hidden" name="_method" value="<?php echo $view->escape($method) ?>" />
 <?php endif ?>