Default sandbox policy for Twig templates.
Twig's sandbox extension is usually used to evaluate untrusted code by limiting access to potentially unsafe properties or methods. Since we do not use ViewModels when passing objects to Twig templates, we limit what those objects can do by whitelisting certain classes, method names, and method names with an allowed prefix. All object properties may be accessed.
Hierarchy
- class \Drupal\Core\Template\TwigSandboxPolicy implements Twig_Sandbox_SecurityPolicyInterface
File
- core/lib/Drupal/Core/Template/TwigSandboxPolicy.php, line 16
Namespace
Drupal\Core\Template
Members
| Name | Modifiers | Type | Description |
|---|---|---|---|
| TwigSandboxPolicy::$whitelisted_classes | protected | property | An array of class names for which any method calls are allowed. |
| TwigSandboxPolicy::$whitelisted_methods | protected | property | An array of whitelisted methods in the form of methodName => TRUE. |
| TwigSandboxPolicy::$whitelisted_prefixes | protected | property | An array of whitelisted method prefixes -- any method starting with one of these prefixes will be allowed. |
| TwigSandboxPolicy::checkMethodAllowed | public | function | Overrides Twig_Sandbox_SecurityPolicyInterface::checkMethodAllowed |
| TwigSandboxPolicy::checkPropertyAllowed | public | function | Overrides Twig_Sandbox_SecurityPolicyInterface::checkPropertyAllowed |
| TwigSandboxPolicy::checkSecurity | public | function | Overrides Twig_Sandbox_SecurityPolicyInterface::checkSecurity |
| TwigSandboxPolicy::__construct | public | function | Constructs a new TwigSandboxPolicy object. |
Please login to continue.