Slim has Reflected XSS in the HtmlErrorRenderer

Description

### Impact If an application uses `HttpException::setTitle()` and/or `setDescription()` to include untrusted/request-derived data in the error title or description (e.g. `"No products found matching '{$query}'."`), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with `displayErrorDetails = false` as the unescaped title and description are rendered on this error path. Built-in exceptions (`HttpNotFoundException`, `HttpBadRequestException`, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into `setTitle()` and/or `setDescription()` are affected. ### Patches The issue is fixed in 4.15.2. ### Workarounds Without upgrading, applications can: - Avoid passing untrusted/request-derived data into `HttpException::setTitle()` and `setDescription()`. Use static, plain-text error copy instead. - Register a custom error renderer (an `ErrorRendererInterface` implementation, or a subclass of `HtmlErrorRenderer` that escapes the title and description) for the HTML media type. ### Acknowledgments Slim is grateful to and thanks GitHub user [0xEr3n](https://github.com/0xEr3n) for reporting this issue. ### Resources - CWE-79: https://cwe.mitre.org/data/definitions/79.html

Affected Packages (1)