Releases: twigphp/Twig
Releases · twigphp/Twig
Release list
v3.28.0
Changelog (v3.27.1...v3.28.0)
- bug #4850 Render backed enums using their backing value in the html_attr function (@fabpot)
- minor #4845 Add documention note about variable scope of override blocks in { embed ... only } (@andy-blum)
- minor #4843 Define macros at the template root in the cache macro fixture (@fabpot)
- bug #4841 Fix Markup truthiness in boolean expressions (@xtrime-ru)
- bug #4842 Fix a PHP 8.5 chr() deprecation when decoding octal string escapes (@austinderrick)
- feature #4292 Introduce a CorrectnessNodeVisitor to validate that templates are semantically correct (@fabpot)
- feature #4840 Mark Markup as final (@fabpot)
- feature #4838 Allow calling a macro with a dynamic name via the dot operator (@fabpot)
- bug #4835 Fix markdown_to_html mangling content that starts with a blank line (@fabpot)
- feature #4819 Add an allow-list for tests to the sandbox security policy (@fabpot)
- minor #4837 Reduce memory usage of the context restoration compiled at the end of for loops (@fabpot)
- feature #4816 Add an always_allowed_in_sandbox flag for filters, functions, and tags (@fabpot)
- feature #4834 Track the source offset of each token and expose it in syntax errors (@fabpot)
- minor #4836 Document how to customize the markdown_to_html converter (@fabpot)
- minor #4662 CoreExtension::getAttribute: small improvement regarding getter/isser/hasser (@gharlan)
- bug #4825 Make the include() function return a Markup object (@fabpot)
- bug #4830 Fix nested block() resolution when a directly rendered block calls parent() (@fabpot)
- minor #4827 Document {#--#} as the replacement for the deprecated spaceless filter (@fabpot)
- bug #4828 Stop reporting a skipped test in IntegrationTestCase when there is no legacy test to run (@fabpot)
- minor #4829 Document storing an enum in a variable to avoid repeating its FQCN (@fabpot)
- bug #4824 Cast printed expressions to string so values that cannot be converted to a string (arrays, non-
Stringableobjects, ...) report a usable stack trace at the print location (@stof, @fabpot) - feature #4826 Make IntegrationTestCase and NodeTestCase compatible with PHPUnit 11 (@fabpot)
- feature #4823 Skip the sandbox
__toStringcheck on arguments whose PHP parameter type cannot implicitly coerce to string (@fabpot)
v3.27.1
Changelog (v3.27.0...v3.27.1)
v3.27.0
Changelog (v3.26.0...v3.27.0)
- security #558 Fix sandbox filter/tag/function allow-list bypass when sandbox state changes between renders (@fabpot)
- security #cve-2026-48805 Fix sandbox bypass in deprecated internal wrappers (@fabpot)
- security #552 Fix sandbox __toString policy bypass via dynamic mapping keys (@fabpot)
- security #535 Fix sandbox
__toStringbypasses viaTraversableinjoin/replacefilters and thein/not inoperators (@fabpot) - security #534 Fix sandbox bypass in the "column" filter under SourcePolicyInterface (@fabpot)
- feature #4817 Add a strict mode to SecurityPolicy to opt-in to the 4.0 sandbox behavior for the extends/use tags and the parent/block/attribute functions (@fabpot)
- feature #4813 Deprecate the fact that the
parent,block, andattributefunctions are always allowed in a sandboxed template (@fabpot) - bug #4812 Fix PHP 8.1+ implicit float-to-int deprecation in sandboxed array access (@fabpot)
- bug #4807 Escape root profile name in HtmlDumper (@fabpot)
- bug #4808 Restrict allowed classes in Profile::unserialize() (@fabpot)
- feature #4803 Deprecate the "Twig\Sandbox\SourcePolicyInterface" interface (@fabpot)
v3.26.0
Changelog (v3.25.0...v3.26.0)
- security #cve-2026-46627 Document that the sandbox doesn't protect against resource exhaustion (@fabpot)
- security #cve-2026-46628 Pre-escape HTML input on the
spacelessfilter (@fabpot) - security #cve-2026-46634 Document template_from_string caveats when used in a sandboxed env (@fabpot)
- security #cve-2026-46635 Fix sandbox bypass in the "column" filter (@alexandre-daubois)
- security #cve-2026-47732 [Sandbox] Fix __toString() support (@fabpot)
- security #cve-2026-47730 [Profiler] Escape template and profile names in
HtmlDumper(@nicolas-grekas) - security #cve-2026-46640 Fix sandbox bypass: PHP code injection via _self / import macro reference (@alexandre-daubois, @fabpot)
- security #cve-2026-46638 Fix sandbox bypass in the
{ sandbox }tag when including a preloaded template (@alexandre-daubois) - security #cve-2026-46633 Fix sandbox bypass: PHP code injection via { use } template name (@alexandre-daubois, @fabpot)
- security #cve-2026-46629 Fix unbounded memoisation of
IntlDateFormatter/NumberFormatter(@alexandre-daubois) - security #cve-2026-46637 Fix XSS and pre-escape input on HTML-emitting filters in the extras (@nicolas-grekas)
- security #cve-2026-46639 Fix sandbox bypass in object destructuring assignment (@alexandre-daubois)
- security #cve-2026-24425 Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing (@fabpot)
v4.0.0-alpha1
Changelog (v3.25.0...v4.0.0-alpha1)
- bug #4760 Fix PHPStan errors (@fabpot)
- feature #4577 Make the raw filter more "sticky" (@fabpot)
- bug #4275 Fix method visibility (@derrabus)
- bug #4260 don't read current key and value when end of iterator is reached (@xabbuh)
- feature #4251 Add back the if condition on for loops (@fabpot)
- feature #4199 Do not hide unnecessary escape characters (@ruudk)
- feature #4213 Add return types missed in #4211 (@smnandre)
- feature #4211 Add missing return types in 4.0 (@smnandre)
- bug #4169 Fix usage of loop in a for else clause (@fabpot)
- feature #4153 Add support for recursive loops (@fabpot)
- bug #4141 Fix support for IteratorAggregate and EmptyIterator objects in loops (@fabpot)
- feature #4135 Add
loop.changed,loop.previous,loop.next, andloop.cyclevariables (@fabpot) - feature #4134 Make loop.last always available (@fabpot)
- feature #4131 Introduce a Loop object (@fabpot)
- feature #4075 Make Environment::getGlobals() private (@fabpot)
- feature #3990 Remove obsolete code about non-yield templates (@fabpot)
- feature #3932 [4.x] Bump to PHP 8.2 (@fabpot)
v3.25.0
Changelog (v3.24.0...v3.25.0)
v3.24.0
Changelog (v3.23.0...v3.24.0)
- feature #3930 Add an
html_attrfunction to make outputting HTML attributes easier (@mpdude, @polarbirke) - bug #4778 Fix null coalescing operator with imported macros (@fabpot)
- feature #4775 Add getOperatorTokens() to ExpressionParserInterface to separate operator token registration from parser identity (@fabpot)
- bug #4774 Ensure filters/attributes aren't mistaken for operators (@brandonkelly)
- feature #4771 Deprecate passing non AbstractExpression nodes to MatchesBinary (@fabpot)
- feature #4769 Deprecate passing a non-AbstractExpression node to Parser::setParent() (@fabpot)
- feature #4748 Support short-circuiting in null-safe operator chains (@HypeMC)
- feature #4743 Add
html_attr_relaxedescaping strategy (@mpdude) - feature #4759 Add support for renaming variables in object destructuring (@fabpot)