SUMMARY
- Twig content sandbox — page content authored in the editor now renders through a Twig sandbox with allowlisted tags / filters / functions / methods / properties, blocking the SSTI class of attacks. Theme templates are unaffected.
- Admin UI for the sandbox — new "Twig Sandbox" section under Configuration → Security with toggles and editable allowlists; can be disabled wholesale if a site needs the old unrestricted behaviour.
- Dedicated
logs/security.log— every blocked Twig expression is logged with the page route and a pointer to the exact setting to change. - Soft-fail on sandbox violations — the rest of the page still renders, visitors see a small placeholder, admins get a hint to the log entry.
- Smarter dangerous-Twig filter — fewer false positives (e.g.
{{ page.header.user.mail }}no longer flagged just because it contains "mail"). - Major security hardening pass — fixes for ten advisories shipped together:
- Path-traversal in
FormFlash(GHSA-hmcx-ch82-3fv2) - Salt disclosure via sandboxed Twig (GHSA-3f29-pqwf-v4j4) — HMAC key moved to
user/config/security-private.php, auto-migrated on first request - User-uniqueness bypass in
UserObject::save(GHSA-rr73-568v-28f8) - HMAC-signed
FileCachepayloads (GHSA-gwfr-jfjf-92vv) — tampered files treated as misses - Five-part
JobQueue/Sessionflash /InstallCommandshell-arg / Twig-callable advisory (GHSA-vj3m-2g9h-vm4p) - XSS event-handler regex tightened (GHSA-9695-8fr9-hw5q + co.)
svg,math,option,selectadded toxss_dangerous_tagsdefaults- Markdown image attribute injection blocked (GHSA-r7fx-8g49-7hhr)
- SVG XXE / billion-laughs hardening (GHSA-3446-6mgw-f79p)
- Zip-Slip primitives rejected by
Installer::unZip(GHSA-w48r-jppp-rcfw)
- Path-traversal in