Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By neclimdul on
Change record status:
Draft (View all draft change records)
Project:
Introduced in branch:
11.2.x
Introduced in version:
11.2.0
Issue links:
Description:
Starting in version 11.2.0, the default value of twig_sandbox_allowed_methods has been hardened to specific classes. This allows safer addition of methods as well as protecting the accidental exposing of unsafe methods.
In particular, the id, label, and bundle methods are no longer allowed on any object, only entities.
In the unlikely event that the hardened list removes access to a method you need, there are 3 options to resolve the problem:
- Add a preprocess method to call the method and expose the value(s) as variables.
- Create a twig filter that calls the method safely.
- Add an entry to your
twig_sandbox_allowed_methodssetting.
Concurrent to this, the use of unqualified classes has been deprecated and will be removed in 12.0.0. Customized values should be updated to match the updated format.
Before in settings.php to add myCustomMethod to the defaults:
$settings['twig_sandbox_allowed_methods'] = [
'id',
'label',
'bundle',
'get',
'__toString',
'toString',
'myCustomMethod',
];
Afterwards in settings.php:
$settings['twig_sandbox_allowed_methods'] = [
EntityInterface::class . '::id',
EntityInterface::class . '::label',
EntityInterface::class . '::bundle',
LayoutDefinition::class . '::id',
'::get',
'::__toString',
'::toString',
myCustomClass::class . '::myCustomMethod',
];
Impacts:
Site builders, administrators, editors
Module developers
Themers
