Fatal Error using filter _replace_ with Sandbox + StrictParsing - Githubissues

nette / latte

☕ Latte: the safest & truly intuitive templates for PHP. Engine for those who want the most secure PHP sites.

https://latte.nette.org

Other

1.09k stars 107 forks source link

Fatal Error using filter _replace_ with Sandbox + StrictParsing #347

Closed NoNoNo closed 8 months ago

NoNoNo commented 8 months ago

Version: Latte 3.0.10 (latest), PHP 8.1.24

Bug Description

Using filter replace in Sandbox & StrictParsing mode:

Fatal error: Uncaught Latte\CompileException: Forbidden variable $this. in vendor/latte/latte/src/Latte/Essential/Passes.php on line 113

Steps To Reproduce

<?php

require_once 'vendor/autoload.php';

$latte = new \Latte\Engine;
$latte->setPolicy(\Latte\Sandbox\SecurityPolicy::createSafePolicy());
$latte->setSandboxMode();
$latte->setStrictParsing();
$latte->setLoader(new \Latte\Loaders\StringLoader);
$latte->render('{$test|replace("foo", "case")}', ['test' => 'test-foo']);

Expected Behavior

Output of string test-case.