Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By mikeker on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.0.x
Introduced in version:
8.0.0-rc3
Issue links:
Description:
Drupal passes fully-functional objects, such as the node being viewed, to the theme layer. This could allow, for example, a theme template to call node.delete(). To protect against this, Drupal whitelists the methods that are allowed to be called on objects.
There are three whitelists: objects for which any method call is allowed, method names which can be called on any object, and method name prefixes which allow any methods beginning with these strings. The last whitelist allows templates to call what should be idempotent methods, such as isNew() or getEntityType() without having to maintain an exhaustive list.
The default values are:
- Objects: (so templates can call
addClass()and similar methods)
[ 'Drupal\Core\Template\Attribute', ] - Method names:
[ 'id', 'label', 'bundle', 'get', '__toString', ] - Method name prefixes:
[ 'get' 'has' 'is' ]
Site builders can adjust these default values in a site's settings.php file by declaring the following variables. It is HIGHLY recommended that site builders include all the default values, above, when overriding these values.
$settings['twig_sandbox_whitelisted_classes'] = [ ... ];
$settings['twig_sandbox_whitelisted_methods'] = [ ... ];
$settings['twig_sandbox_whitelisted_prefixes'] = [ ... ];
Impacts:
Site builders, administrators, editors
Module developers
Themers
