Skip to content

Releases: twigphp/Twig

v3.28.0

Choose a tag to compare

@fabpot fabpot released this 03 Jul 20:44
Immutable release. Only release title and notes can be modified.
v3.28.0
597c12e

Changelog (v3.27.1...v3.28.0)

  • bug #4850 Render backed enums using their backing value in the html_attr function (@fabpot)
  • minor #4845 Add documention note about variable scope of override blocks in { embed ... only } (@andy-blum)
  • minor #4843 Define macros at the template root in the cache macro fixture (@fabpot)
  • bug #4841 Fix Markup truthiness in boolean expressions (@xtrime-ru)
  • bug #4842 Fix a PHP 8.5 chr() deprecation when decoding octal string escapes (@austinderrick)
  • feature #4292 Introduce a CorrectnessNodeVisitor to validate that templates are semantically correct (@fabpot)
  • feature #4840 Mark Markup as final (@fabpot)
  • feature #4838 Allow calling a macro with a dynamic name via the dot operator (@fabpot)
  • bug #4835 Fix markdown_to_html mangling content that starts with a blank line (@fabpot)
  • feature #4819 Add an allow-list for tests to the sandbox security policy (@fabpot)
  • minor #4837 Reduce memory usage of the context restoration compiled at the end of for loops (@fabpot)
  • feature #4816 Add an always_allowed_in_sandbox flag for filters, functions, and tags (@fabpot)
  • feature #4834 Track the source offset of each token and expose it in syntax errors (@fabpot)
  • minor #4836 Document how to customize the markdown_to_html converter (@fabpot)
  • minor #4662 CoreExtension::getAttribute: small improvement regarding getter/isser/hasser (@gharlan)
  • bug #4825 Make the include() function return a Markup object (@fabpot)
  • bug #4830 Fix nested block() resolution when a directly rendered block calls parent() (@fabpot)
  • minor #4827 Document {#--#} as the replacement for the deprecated spaceless filter (@fabpot)
  • bug #4828 Stop reporting a skipped test in IntegrationTestCase when there is no legacy test to run (@fabpot)
  • minor #4829 Document storing an enum in a variable to avoid repeating its FQCN (@fabpot)
  • bug #4824 Cast printed expressions to string so values that cannot be converted to a string (arrays, non-Stringable objects, ...) report a usable stack trace at the print location (@stof, @fabpot)
  • feature #4826 Make IntegrationTestCase and NodeTestCase compatible with PHPUnit 11 (@fabpot)
  • feature #4823 Skip the sandbox __toString check on arguments whose PHP parameter type cannot implicitly coerce to string (@fabpot)

v3.27.1

Choose a tag to compare

@fabpot fabpot released this 30 May 17:09
Immutable release. Only release title and notes can be modified.
v3.27.1
ae2071b

Changelog (v3.27.0...v3.27.1)

  • bug #4822 Fix inconsistent array access with a Stringable key (@fabpot)
  • bug #4821 Preserve IteratorAggregate identity in sandbox __toString walker (@fabpot)

v3.27.0

Choose a tag to compare

@fabpot fabpot released this 27 May 13:06
v3.27.0
04ae1bf

Changelog (v3.26.0...v3.27.0)

  • security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@fabpot)
  • security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@fabpot)
  • security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@fabpot)
  • security #535 Fix sandbox __toString bypasses via Traversable in join/replace filters and the in/not in operators (@fabpot)
  • security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@fabpot)
  • feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@fabpot)
  • feature #4813 Deprecate the fact that the parent, block, and attribute functions are always allowed in a sandboxed template (@fabpot)
  • bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@fabpot)
  • bug #4807 Escape root profile name in HtmlDumper (@fabpot)
  • bug #4808 Restrict allowed classes in Profile::unserialize() (@fabpot)
  • feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@fabpot)

v3.26.0

Choose a tag to compare

@fabpot fabpot released this 20 May 07:32
v3.26.0
1fcae48

Changelog (v3.25.0...v3.26.0)

v4.0.0-alpha1

Choose a tag to compare

@fabpot fabpot released this 17 May 08:03
v4.0.0-alpha1
6931c92

Changelog (v3.25.0...v4.0.0-alpha1)

v3.25.0

Choose a tag to compare

@fabpot fabpot released this 17 May 07:41
v3.25.0
0dade99

Changelog (v3.24.0...v3.25.0)

v3.24.0

Choose a tag to compare

@fabpot fabpot released this 17 Mar 21:31
a6769ae

Changelog (v3.23.0...v3.24.0)

  • feature #3930 Add an html_attr function to make outputting HTML attributes easier (@mpdude, @polarbirke)
  • bug #4778 Fix null coalescing operator with imported macros (@fabpot)
  • feature #4775 Add getOperatorTokens() to ExpressionParserInterface to separate operator token registration from parser identity (@fabpot)
  • bug #4774 Ensure filters/attributes aren't mistaken for operators (@brandonkelly)
  • feature #4771 Deprecate passing non AbstractExpression nodes to MatchesBinary (@fabpot)
  • feature #4769 Deprecate passing a non-AbstractExpression node to Parser::setParent() (@fabpot)
  • feature #4748 Support short-circuiting in null-safe operator chains (@HypeMC)
  • feature #4743 Add html_attr_relaxed escaping strategy (@mpdude)
  • feature #4759 Add support for renaming variables in object destructuring (@fabpot)