Enabled Twig Sandbox MOde

docs/CHANGELOG.md

@@ -1,6 +1,10 @@
 Changelog
 =========
 
+1.1.2 (January 6, 2024)
+----------------------
+- Enh: Added Twig SecurityPolicy
+
 1.1.1 (August 5, 2022)
 ----------------------
 - Fix #15: Fixed HumHub 1.12+ support / Twig 3 Migration

module.json

@@ -3,7 +3,7 @@
   "name": "Virtual Card Popover",
   "description": "Shows a virtual business card displaying brief information about the user when hovering over a user's profile picture or name",
   "keywords": ["business card, popover, hover, profile information"],
-  "version": "1.1.1",
+  "version": "1.1.2",
   "humhub": {
     "minVersion": "1.12"
   },

widgets/VCardSpace.php

@@ -15,7 +15,9 @@
 use Twig\Error\LoaderError;
 use Twig\Error\RuntimeError;
 use Twig\Error\SyntaxError;
+use Twig\Extension\SandboxExtension;
 use Twig\Loader\ArrayLoader;
+use Twig\Sandbox\SecurityPolicy;
 use Yii;
 
 
@@ -42,6 +44,8 @@ public function run()
         $memberCount = Membership::getSpaceMembersQuery($this->space)->count();
 
         $twig = new Environment(new ArrayLoader());
+        $twig->addExtension(new SandboxExtension(new SecurityPolicy(['if', 'for'], ['escape']), true));
+
         $templateParams = ['space' => $this->space, 'memberCount' => $memberCount];
 
         try {

widgets/VCardUser.php

@@ -13,7 +13,9 @@
 use Twig\Error\LoaderError;
 use Twig\Error\RuntimeError;
 use Twig\Error\SyntaxError;
+use Twig\Extension\SandboxExtension;
 use Twig\Loader\ArrayLoader;
+use Twig\Sandbox\SecurityPolicy;
 use Yii;
 
 
@@ -31,6 +33,8 @@ public function run()
         $module = Yii::$app->getModule('popover-vcard');
 
         $twig = new Environment(new ArrayLoader());
+        $twig->addExtension(new SandboxExtension(new SecurityPolicy(['if', 'for'], ['escape']), true));
+
         $templateParams = ['user' => $this->user, 'profile' => $this->user->profile];
 
         try {