search

nelmio / NelmioSecurityBundle

Adds extra security-related features in your Symfony application
https://symfony.com/bundles/NelmioSecurityBundle/
MIT License
651 stars 85 forks source link

Incompatibility with twig 3.9 #343

Closed jderusse closed 4 months ago

jderusse commented 6 months ago

Since https://github.com/twigphp/Twig/pull/3999 we cannot use ob_ method to get the generated output. As a result, the the output generated by the CSPNode is empty. Which lead to an exception Invalid script, you should use a single <script> tag.

My template twig is:

            {% cspscript %}
                <script>
                  alert('foo')
                </script>
            {% endcspscript %}

the generated PHP code is


        // line 315
        yield "            ";
        ob_start();
        yield "                <script>
                  alert('foo')
                </script>
            ";
        $this->env->getRuntime('Nelmio\SecurityBundle\Twig\CSPRuntime')->getListener()->addSha('script-src', 'sha384-Ee2u6OPPCwK16NVPQ56ORx7yfwYmCmO+bYzRi4OsT+wo/iiP9f8p/+7GNTdT2++t');
echo ob_get_clean();
        // line 320
        yield "        ";

The content of ob_get_clean(); is "".

Tjeerd commented 6 months ago

Yup, most of my pipelines are failing this week because of this update to Twig. Because our default, and enforced, security policy is to use NelmioSecurityBundle , this has quite an impact.

Thanks to @jderusse for the fix/improvement. Let's get it merged!