[BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects
They are now checked via the property policy
Fix a security issue in the sandbox mode allowing an attacker to be able to call toString()
under some circumstances on an object even if the __toString() method is not allowed by the security policy
3.14.0 (2024-09-09)
Fix a security issue when an included sandboxed template has been loaded before without the sandbox context
Add the possibility to reset globals via Environment::resetGlobals()
Deprecate Environment::mergeGlobals()
3.13.0 (2024-09-07)
Add the types tag (experimental)
Deprecate the Twig\Test\NodeTestCase::getTests() data provider, override provideTests() instead.
Mark Twig\Test\NodeTestCase::getEnvironment() as final, override createEnvironment() instead.
Deprecate not overriding Twig\Test\IntegrationTestCase::getFixturesDirectory(), this method will be abstract in 4.0
Marked Twig\Test\IntegrationTestCase::getTests() and getLegacyTests() as final
3.12.0 (2024-08-29)
Deprecate the fact that the extends and use tags are always allowed in a sandboxed template.
This behavior will change in 4.0 where these tags will need to be explicitly allowed like any other tag.
Deprecate the "tag" constructor argument of the "Twig\Node\Node" class as the tag is now automatically set by the Parser when needed
Fix precedence of two-word tests when the first word is a valid test
Deprecate the spaceless filter
Deprecate some internal methods from Parser: getBlockStack(), hasBlock(), getBlock(), hasMacro(), hasTraits(), getParent()
Deprecate passing null to Twig\Parser::setParent()
Update Node::__toString() to include the node tag if set
Add support for integers in methods of Twig\Node\Node that take a Node name
Deprecate not passing a BodyNode instance as the body of a ModuleNode or MacroNode constructor
Deprecate returning "null" from "TokenParserInterface::parse()".
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/nhymxu/tramkho-blog-engine/network/alerts).
Bumps twig/twig from 3.10.3 to 3.14.2.
Changelog
Sourced from twig/twig's changelog.
... (truncated)
Commits
0b6f9d8
Prepare the 3.14.2 releasefe9e0d0
Merge branch '3.11.x' into 3.14.x3b06600
Prepare the 3.11.3 releasedbd734a
Update CHANGELOG83a21d3
Merge branch '3.11.x' into 3.14.xd3fc074
Improve detection of recursiona0f7756
Fix recursion when arrays contain self-references in sandboxed mode5b580ec
Fix code94612e7
Prepare the 3.11.2 release8b52782
Update CHANGELOGDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show