TwigSandboxPolicy

Default sandbox policy for Twig templates.

Twig's sandbox extension is usually used to evaluate untrusted code by limiting access to potentially unsafe properties or methods. Since we do not use ViewModels when passing objects to Twig templates, we limit what those objects can do by whitelisting certain classes, method names, and method names with an allowed prefix. All object properties may be accessed.

Hierarchy

  • class \Drupal\Core\Template\TwigSandboxPolicy implements Twig_Sandbox_SecurityPolicyInterface

File

core/lib/Drupal/Core/Template/TwigSandboxPolicy.php, line 16

Namespace

Drupal\Core\Template

Members

Name Modifiers Type Description
TwigSandboxPolicy::$whitelisted_classes protected property An array of class names for which any method calls are allowed.
TwigSandboxPolicy::$whitelisted_methods protected property An array of whitelisted methods in the form of methodName => TRUE.
TwigSandboxPolicy::$whitelisted_prefixes protected property An array of whitelisted method prefixes -- any method starting with one of these prefixes will be allowed.
TwigSandboxPolicy::checkMethodAllowed public function Overrides Twig_Sandbox_SecurityPolicyInterface::checkMethodAllowed
TwigSandboxPolicy::checkPropertyAllowed public function Overrides Twig_Sandbox_SecurityPolicyInterface::checkPropertyAllowed
TwigSandboxPolicy::checkSecurity public function Overrides Twig_Sandbox_SecurityPolicyInterface::checkSecurity
TwigSandboxPolicy::__construct public function Constructs a new TwigSandboxPolicy object.
doc_Drupal
2016-10-29 09:49:47
Comments
Leave a Comment

Please login to continue.