diff --git a/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php index 9368930..4313e7f 100644 --- a/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php +++ b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php @@ -13,9 +13,10 @@ * Default sandbox policy for Twig templates. * * Twig's sandbox extension is usually used to evaluate untrusted code by - * limiting access to potentially unsafe attributes or methods. Since we do not + * limiting access to potentially unsafe properties or methods. Since we do not * use ViewModels when passing objects to Twig templates, we limit what those - * objects can do by whitelisting certain classes, methods, and attributes. + * objects can do by whitelisting certain classes, method names, and method + * names with an allowed prefix. All object properties may be accessed. */ class TwigSandboxPolicy implements \Twig_Sandbox_SecurityPolicyInterface { @@ -43,6 +44,8 @@ public function __construct() { // changed from a Twig template, for example calling addClass(). 'Drupal\Core\Template\Attribute', ]); + // Flip the arrays so we can check using isset(). + $this->whitelisted_classes = array_flip($whitelisted_classes); $whitelisted_methods = Settings::get('twig_sandbox_whitelisted_methods', [ // Only allow idempotent methods. @@ -52,21 +55,13 @@ public function __construct() { 'get', '__toString', ]); + $this->whitelisted_methods = array_flip($whitelisted_methods); $this->whitelisted_prefixes = Settings::get('twig_sandbox_whitelisted_prefixes', [ 'get', 'has', 'is', ]); - - // Convert a basic array into whitelisted_item => TRUE. This allows us to - // use isset() which is faster than in_array(). - foreach ($whitelisted_methods as $method) { - $this->whitelisted_methods[$method] = TRUE; - } - foreach ($whitelisted_classes as $class) { - $this->whitelisted_classes[$class] = TRUE; - } } /** diff --git a/core/modules/node/templates/node.html.twig b/core/modules/node/templates/node.html.twig index d793f3a..e7e353d 100644 --- a/core/modules/node/templates/node.html.twig +++ b/core/modules/node/templates/node.html.twig @@ -6,7 +6,7 @@ * Available variables: * - node: The node entity with limited access to object properties and methods. Only "getter" methods (method names starting with "get", "has", or "is") - and a few common attributes such as "id" and "label" are available. Calling + and a few common methods such as "id" and "label" are available. Calling other methods (such as node.delete) will result in an exception. * - label: The title of the node. * - content: All node items. Use {{ content }} to print them all, diff --git a/core/themes/bartik/templates/node.html.twig b/core/themes/bartik/templates/node.html.twig index 951cda3..5d509aa 100644 --- a/core/themes/bartik/templates/node.html.twig +++ b/core/themes/bartik/templates/node.html.twig @@ -6,7 +6,7 @@ * Available variables: * - node: The node entity with limited access to object properties and methods. Only "getter" methods (method names starting with "get", "has", or "is") - and a few common attributes such as "id" and "label" are available. Calling + and a few common methods such as "id" and "label" are available. Calling other methods (such as node.delete) will result in an exception. * - label: The title of the node. * - content: All node items. Use {{ content }} to print them all, diff --git a/core/themes/classy/templates/content/node.html.twig b/core/themes/classy/templates/content/node.html.twig index de27a85..5af7c25 100644 --- a/core/themes/classy/templates/content/node.html.twig +++ b/core/themes/classy/templates/content/node.html.twig @@ -6,7 +6,7 @@ * Available variables: * - node: The node entity with limited access to object properties and methods. Only "getter" methods (method names starting with "get", "has", or "is") - and a few common attributes such as "id" and "label" are available. Calling + and a few common methods such as "id" and "label" are available. Calling other methods (such as node.delete) will result in an exception. * - label: The title of the node. * - content: All node items. Use {{ content }} to print them all,