Skip to content

Enforce the sandbox Markup exception for every security policy#4839

Merged
fabpot merged 1 commit into
twigphp:4.xfrom
fabpot:hardcoded-checks-removal
Jun 9, 2026
Merged

Enforce the sandbox Markup exception for every security policy#4839
fabpot merged 1 commit into
twigphp:4.xfrom
fabpot:hardcoded-checks-removal

Conversation

@fabpot

@fabpot fabpot commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This is (maybe) my last change in 4.x to remove things that were hardcoded in 3.x.

It moves the sandbox exception for Twig\Markup out of the default SecurityPolicy and into the runtime string-coercion check: now, only __toString() is allowed by default and custom security policies inherit that automatically.

The branch also removes the hardcoded Template bypass from SecurityPolicy::checkMethodAllowed(): template attribute access is already rejected earlier by CoreExtension::getAttribute(), so the policy-level exception was dead code (IIRC, it was needed in the old days for calling macros, but not anymore).

@fabpot fabpot force-pushed the hardcoded-checks-removal branch 2 times, most recently from ba1ae6e to bfaddc9 Compare June 7, 2026 08:20
@fabpot fabpot changed the base branch from 3.x to 4.x June 7, 2026 08:20
@fabpot fabpot changed the base branch from 4.x to 3.x June 9, 2026 19:45
@fabpot fabpot changed the base branch from 3.x to 4.x June 9, 2026 19:46
@fabpot fabpot force-pushed the hardcoded-checks-removal branch from bfaddc9 to b1cac7c Compare June 9, 2026 19:47
@fabpot fabpot merged commit 5c0a528 into twigphp:4.x Jun 9, 2026
@fabpot fabpot deleted the hardcoded-checks-removal branch June 9, 2026 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fabpot