Improved
- Twig sandbox is now the sole layer of SSTI protection on editor-authored content — the legacy regex pre-filter has been retired. With the sandbox stable in beta.2 (allowlist-based
Twig\Sandbox\SecurityPolicycovering tags / filters / functions / methods / properties), thesecurity.twig_filter.*blacklist + whitelist that pre-dated it served only as a logging fallback when the sandbox was disabled. Removed across the board: blueprint section + 6 fields (twig_filter.enabled,logging,admin_hint,whitelist.{functions,filters,properties}); thetwig_filter:block insystem/config/security.yaml;Security::cleanDangerousTwig()/cleanDangerousTwigWithStatus()/getDangerousTwigPatterns(); theCALLABLE_DANGEROUS_NAMESandINTROSPECTION_NAMESconstants and their compiled-pattern caches;Security::logTwigBlock()/twigWhitelistHint()and the per-request dedup map; the threeTwig::process{Page,String,Site}call sites that used to wrap content in the regex pass before handing it to Twig; andtests/unit/Grav/Common/Security/CleanDangerousTwigTest.php. The sandbox remains toggleable viasecurity.twig_sandbox.enabledfor sites that genuinely need container access from page content; the toggle now ships with an explicit warning that disabling it removes the only SSTI protection on editor-authored content. The admin-hint comment Twig appended after a filtered render moves with the rename:appendTwigFilterAdminHint→appendSandboxAdminHint, reading from the newsecurity.twig_sandbox.admin_hintconfig (defaulttrue). Net effect: a single, clean enforcement layer; ~350 fewer lines of regex; one config story to document; the sandbox is what catches a violation, the sandbox is what logs it. No upgrade action needed —security.twig_filter.*keys in user yaml are silently ignored.
Bugfix
- Fixed
selectizefield optionally able to store keys