Skip to content

Add an always_allowed_in_sandbox flag for filters, functions, and tags#4816

Merged
fabpot merged 5 commits into
twigphp:3.xfrom
fabpot:always-allowed-in-sandbox
Jun 6, 2026
Merged

Add an always_allowed_in_sandbox flag for filters, functions, and tags#4816
fabpot merged 5 commits into
twigphp:3.xfrom
fabpot:always-allowed-in-sandbox

Conversation

@fabpot

@fabpot fabpot commented May 25, 2026

Copy link
Copy Markdown
Contributor

Some filters, functions, and tags are pure and inherently safe to use in sandboxed templates. Forcing every sandbox policy to explicitly allow-list them is noisy.

Introduce an opt-in flag that lets callable and token-parser authors mark their item as always allowed in the sandbox. When set, the sandbox node visitor skips recording the name, so it never reaches the policy's checkSecurity() call: zero runtime cost, no allow-list entry required.

@fabpot fabpot force-pushed the always-allowed-in-sandbox branch 2 times, most recently from 0e6204a to 26115f2 Compare May 25, 2026 21:14
@fabpot fabpot force-pushed the always-allowed-in-sandbox branch 4 times, most recently from d31e68e to e478b52 Compare June 2, 2026 19:58
@fabpot fabpot force-pushed the always-allowed-in-sandbox branch from 9b55168 to 29c4325 Compare June 6, 2026 06:57
@fabpot fabpot merged commit 9a1d3d2 into twigphp:3.x Jun 6, 2026
42 of 43 checks passed
@fabpot fabpot deleted the always-allowed-in-sandbox branch June 6, 2026 07:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant