Fix a XSS when using a custom format callable, it was silently bypass…

…ing twig default escape by wrapping the string in a "Markup" object that is whitelisted

instead if people do need it we force them do to

->setStripTag(true) before

src/Field/Configurator/CommonPostConfigurator.php

@@ -7,6 +7,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Contracts\Field\FieldConfiguratorInterface;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
+use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
 use EasyCorp\Bundle\EasyAdminBundle\Provider\AdminContextProvider;
 use function Symfony\Component\String\u;
 use Twig\Markup;
@@ -53,6 +54,14 @@ private function buildFormattedValueOption($value, FieldDto $field, EntityDto $e
 
         $formatted = $callable($field->getValue(), $entityDto->getInstance());
 
+        // we don't want to unintentionally allow people to add XSS vulnerabilities
+        // in the code just because some people need to have HTML/JS
+        // so that if you want know what you're doing you have to explicitly
+        // disable this.
+        if ($field->getCustomOptions(TextField::OPTION_STRIP_TAGS)) {
+            return $formatted;
+        }
+
         // if the callable returns a string, wrap it in a Twig Markup to render the
         // HTML and CSS/JS elements that it might contain
         return \is_string($formatted) ? new Markup($formatted, $this->charset) : $formatted;