* 1.6.5 (2012-XX-XX)
+ * added compilation checks to avoid misuses of the sandbox tag
* fixed filesystem loader freshness logic for high traffic websites
* 1.6.4 (2012-04-02)
*/
public function enterNode(Twig_NodeInterface $node, Twig_Environment $env)
{
+ // in a sandbox tag, only include tags are allowed
+ if ($node instanceof Twig_Node_Sandbox && !$node->getNode('body') instanceof Twig_Node_Include) {
+ foreach ($node->getNode('body') as $n) {
+ if ($n instanceof Twig_Node_Text && ctype_space($n->getAttribute('data'))) {
+ continue;
+ }
+
+ if (!$n instanceof Twig_Node_Include) {
+ throw new Twig_Error_Syntax('Only "include" tags are allowed within a "sandbox" section', $n->getLine());
+ }
+ }
+ }
+
if ($node instanceof Twig_Node_Module) {
$this->inAModule = true;
$this->tags = array();
--- /dev/null
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+ {%- include "foo.twig" %}
+ a
+{%- endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--EXCEPTION--
+Twig_Error_Syntax: Only "include" tags are allowed within a "sandbox" section in "index.twig" at line 4
--- /dev/null
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+ {%- include "foo.twig" %}
+
+ {% if 1 %}
+ {%- include "foo.twig" %}
+ {% endif %}
+{%- endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--EXCEPTION--
+Twig_Error_Syntax: Only "include" tags are allowed within a "sandbox" section in "index.twig" at line 5
--- /dev/null
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+ {%- include "foo.twig" %}
+{%- endsandbox %}
+
+{%- sandbox %}
+ {%- include "foo.twig" %}
+ {%- include "foo.twig" %}
+{%- endsandbox %}
+
+{%- sandbox %}{% include "foo.twig" %}{% endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--DATA--
+return array()
+--EXPECT--
+foo
+foo
+foo
+foo
$twig = new Twig_Environment($loader, $config);
$twig->addExtension(new TestExtension());
$twig->addExtension(new Twig_Extension_Debug());
+ $policy = new Twig_Sandbox_SecurityPolicy(array(), array(), array(), array(), array());
+ $twig->addExtension(new Twig_Extension_Sandbox($policy, false));
try {
$template = $twig->loadTemplate('index.twig');