v3.26.0

Compare Source

• Document that the sandbox doesn't protect against resource exhaustion
• Document template_from_string caveats when used in a sandboxed environment
• Add docs on Markup about the goal of this class in the context of a sandbox
• Pre-escape HTML input on the spaceless filter
• Pre-escape HTML input on inline_css and inky_to_html filters
• Fix XSS by adjusting is_safe annotation on HTML-emitting filters
• [Profiler] Escape template and profile names in HtmlDumper
• Fix unbounded memoisation of IntlDateFormatter / NumberFormatter
• Fix sandbox bypass in the "column" filter
• Fix sandbox bypass in the {% sandbox %} tag when including a preloaded template
• Fix sandbox bypass: PHP code injection via {% use %} template name
• Fix sandbox bypass: PHP code injection via _self / import macro reference
• Fix sandbox bypass in object destructuring assignment
• Fix sandbox bypass: propagate Source to checkArrow for source-policy sandboxing
• Encode single quotes as \x27 in Compiler::string() as a defense-in-depth measure
• Fix sandbox __toString bypasses
• Add Twig\Node\CoercesChildrenToStringInterface to let nodes declare which of their child nodes will be string-coerced at runtime so the sandbox wraps them with a __toString check

v3.25.0

Compare Source

• Add a needs_is_sandboxed option for filters, functions, and tests
• Use deterministic suffixes for generated embed classes
• Lazy-load EscaperRuntime in EscaperExtension

v3.24.0

Compare Source

• Deprecate not implementing the getOperatorTokens() method in ExpressionParserInterface implementations
• Deprecate passing a non-AbstractExpression node to Twig\Node\Expression\Binary\MatchesBinary constructor
• Deprecate passing a non-AbstractExpression node to Parser::setParent()
• Add support for renaming variables in object destructuring ({name: userName} = user)
• Add html_attr_relaxed escaping strategy that preserves :, @​, [, and ] for front-end framework attribute names
• Add support for short-circuiting in null-safe operator chains
• Add the html_attr function and html_attr_merge as well as html_attr_type filters

v3.23.0

Compare Source

• Add = assignment operator (allows to set variables in expression or to replace the short-form of the set tag)
• Add sequence, mapping, and object destructuring
• Add ?. null-safe operator
• Add === and !== operators (equivalent to the same as and not same as tests)
• Fix opcache preload warning for unlinked anonymous class
• Fix spread operator behavior

v3.22.2

Compare Source

• n/a

v3.22.1

Compare Source

• Add support for Symfony 8

v3.22.0

Compare Source

• Add support for two words test in guard tag
• Add Environment::registerUndefinedTestCallback()
• Fix compatibility with Symfony 8
• Fix accessing arrays with stringable objects as key
• Avoid errors when failing to guess the template info for an error
• Fix expression parser compatibility layer
• Fix compiling 'index' with repr (not string) in EmbedNode
• Update configuration keys + allow extra keys for CommonMark extensions
• Allow usage of other Markdown converters than CommonMark in LeagueMarkdown

v3.21.1

Compare Source

• Fix ExtensionSet usage of BinaryOperatorExpressionParser

v3.21.0

Compare Source

• Fix wrong array index
• Deprecate Template::loadTemplate()
• Fix testing and expression when it evaluates to an instance of Markup
• Add ReturnPrimitiveTypeInterface (and sub-interfaces for number, boolean, string, and array)
• Add SupportDefinedTestInterface for expression nodes supporting the defined test
• Deprecate using the | operator in an expression with + or - without using parentheses to clarify precedence
• Deprecate operator precedence outside of the [0, 512] range
• Introduce expression parser classes to describe operators and operands provided by extensions
  instead of arrays (it comes with many deprecations that are documented in
  the deprecated documentation chapter)
• Deprecate the Twig\ExpressionParser, and Twig\OperatorPrecedenceChange classes
• Add attributes AsTwigFilter, AsTwigFunction, and AsTwigTest to ease extension development

v3.20.0

Compare Source

• Fix support for ignoring syntax errors in an undefined handler in guard
• Add configuration for Commonmark
• Fix wrong array index
• Bump minimum PHP version to 8.1
• Add support for registering callbacks for undefined functions, filters or token parsers in the IntegrationTestCase
• Use correct line number for ForElseNode
• Fix timezone conversion on strings

v3.19.0

Compare Source

• Fix a security issue where escaping was missing when using ??
• Deprecate Token::getType(), use Token::test() instead
• Add Token::toEnglish()
• Add ForElseNode
• Deprecate Twig\ExpressionParser::parseOnlyArguments() and
  Twig\ExpressionParser::parseArguments() (use
  Twig\ExpressionParser::parseNamedArguments() instead)
• Fix constant() behavior when used with ??
• Add the invoke filter
• Make {} optional for the types tag
• Add LastModifiedExtensionInterface and implementation in AbstractExtension to track modification of runtime classes
• Ignore static properties when using the dot operator

v3.18.0

Compare Source

• Fix unary operator precedence change
• Ignore SyntaxError exceptions from undefined handlers when using the guard tag
• Add a way to stream template rendering (TemplateWrapper::stream() and TemplateWrapper::streamBlock())

v3.17.1

Compare Source

• Fix the null coalescing operator when the test returns null
• Fix the Elvis operator when used as '? :' instead of '?:'
• Support for invoking closures

v3.17.0

Compare Source

• Fix ArrayAccess with objects as keys
• Support underscores in number literals
• Deprecate ConditionalExpression and NullCoalesceExpression (use ConditionalTernary and NullCoalesceBinary instead)

v3.16.0

Compare Source

• Deprecate InlinePrint
• Fix having macro variables starting with an underscore
• Deprecate not passing a Source instance to TokenStream
• Deprecate returning null from TwigFilter::getSafe() and TwigFunction::getSafe(), return [] instead

v3.15.0

Compare Source

• [BC BREAK] Add support for accessing class constants with the dot operator;
  this can be a BC break if you don't use UPPERCASE constant names
• Add Spanish inflector support for the plural and singular filters in the String extension
• Deprecate TempNameExpression in favor of LocalVariable
• Deprecate NameExpression in favor of ContextVariable
• Deprecate AssignNameExpression in favor of AssignContextVariable
• Remove MacroAutoImportNodeVisitor
• Deprecate MethodCallExpression in favor of MacroReferenceExpression
• Fix support for the "is defined" test on _self.xxx (auto-imported) macros
• Fix support for the "is defined" test on inherited macros
• Add named arguments support for the dot operator arguments (foo.bar(some: arg))
• Add named arguments support for macros
• Add a new guard tag that allows to test if some Twig callables are available at compilation time
• Allow arrow functions everywhere
• Deprecate passing a string or an array to Twig callable arguments accepting arrow functions (pass a \Closure)
• Add support for triggering deprecations for future operator precedence changes
• Deprecate using the not unary operator in an expression with *, /, //, or % without using explicit parentheses to clarify precedence
• Deprecate using the ?? binary operator without explicit parentheses
• Deprecate using the ~ binary operator in an expression with + or - without using parentheses to clarify precedence
• Deprecate not passing AbstractExpression args to most constructor arguments for classes extending AbstractExpression
• Fix power expressions with a negative number in parenthesis ((-1) ** 2)
• Deprecate instantiating Node directly. Use EmptyNode or Nodes instead.
• Add support for inline comments
• Add Profile::getStartTime() and Profile::getEndTime()
• Fix "ignore missing" when used on an "embed" tag
• Fix the possibility to override an aliased block (via use)
• Add template cache hot reload
• Allow Twig callable argument names to be free-form (snake-case or camelCase) independently of the PHP callable signature
  They were automatically converted to snake-cased before
• Deprecate the attribute function; use the . notation and wrap the name with parenthesis instead
• Add support for argument unpackaging
• Add JSON support for the file extension escaping strategy
• Support Markup instances (and any other \Stringable) as dynamic mapping keys
• Deprecate the sandbox tag
• Improve the way one can deprecate a Twig callable (use deprecation_info instead of the other callable options)
• Add the enum function
• Add support for logical xor operator

v3.14.2

Compare Source

• Fix an infinite recursion in the sandbox code

v3.14.1

Compare Source

• [BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects
  They are now checked via the property policy
• Fix a security issue in the sandbox mode allowing an attacker to be able to call toString()
  under some circumstances on an object even if the __toString() method is not allowed by the security policy

v3.14.0

Compare Source

• Fix a security issue when an included sandboxed template has been loaded before without the sandbox context
• Add the possibility to reset globals via Environment::resetGlobals()
• Deprecate Environment::mergeGlobals()

v3.13.0

Compare Source

• Add the types tag (experimental)
• Deprecate the Twig\Test\NodeTestCase::getTests() data provider, override provideTests() instead.
• Mark Twig\Test\NodeTestCase::getEnvironment() as final, override createEnvironment() instead.
• Deprecate Twig\Test\NodeTestCase::getVariableGetter(), call createVariableGetter() instead.
• Deprecate Twig\Test\NodeTestCase::getAttributeGetter(), call createAttributeGetter() instead.
• Deprecate not overriding Twig\Test\IntegrationTestCase::getFixturesDirectory(), this method will be abstract in 4.0
• Marked Twig\Test\IntegrationTestCase::getTests() and getLegacyTests() as final

v3.12.0

Compare Source

• Deprecate the fact that the extends and use tags are always allowed in a sandboxed template.
  This behavior will change in 4.0 where these tags will need to be explicitly allowed like any other tag.
• Deprecate the "tag" constructor argument of the "Twig\Node\Node" class as the tag is now automatically set by the Parser when needed
• Fix precedence of two-word tests when the first word is a valid test
• Deprecate the spaceless filter
• Deprecate some internal methods from Parser: getBlockStack(), hasBlock(), getBlock(), hasMacro(), hasTraits(), getParent()
• Deprecate passing null to Twig\Parser::setParent()
• Update Node::__toString() to include the node tag if set
• Add support for integers in methods of Twig\Node\Node that take a Node name
• Deprecate not passing a BodyNode instance as the body of a ModuleNode or MacroNode constructor
• Deprecate returning "null" from "TokenParserInterface::parse()".
• Deprecate OptimizerNodeVisitor::OPTIMIZE_TEXT_NODES
• Fix performance regression when use_yield is false (which is the default)
• Improve compatibility when use_yield is false (as extensions still using echo will work as is)
• Accept colons (:) in addition to equals (=) to separate argument names and values in named arguments
• Add the html_cva function (in the HTML extra package)
• Add support for named arguments to the block and attribute functions
• Throw a SyntaxError exception at compile time when a Twig callable has not the minimum number of required arguments
• Add a CallableArgumentsExtractor class
• Deprecate passing a name to FunctionExpression, FilterExpression, and TestExpression;
  pass a TwigFunction, TwigFilter, or TestFilter instead
• Deprecate all Twig callable attributes on FunctionExpression, FilterExpression, and TestExpression
• Deprecate the filter node of FilterExpression
• Add the notion of Twig callables (functions, filters, and tests)
• Bump minimum PHP version to 8.0
• Fix integration tests when a test has more than one data/expect section and deprecations
• Add the enum_cases function

v3.11.3

Compare Source

v3.11.2

Compare Source

• [BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects
  They are now checked via the property policy
• Fix a security issue in the sandbox mode allowing an attacker to be able to call toString()
  under some circumstances on an object even if the __toString() method is not allowed by the security policy

v3.11.1

Compare Source

• Fix a security issue when an included sandboxed template has been loaded before without the sandbox context

v3.11.0

Compare Source

• Deprecate OptimizerNodeVisitor::OPTIMIZE_RAW_FILTER
• Add Twig\Cache\ChainCache and Twig\Cache\ReadOnlyFilesystemCache
• Add the possibility to deprecate attributes and nodes on Node
• Add the possibility to add a package and a version to the deprecated tag
• Add the possibility to add a package for filter/function/test deprecations
• Mark ConstantExpression as being @final
• Add the find filter
• Fix optimizer mode validation in OptimizerNodeVisitor
• Add the possibility to yield from a generator in PrintNode
• Add the shuffle filter
• Add the singular and plural filters in StringExtension
• Deprecate the second argument of Twig\Node\Expression\CallExpression::compileArguments()
• Deprecate Twig\ExpressionParser\parseHashExpression() in favor of
  Twig\ExpressionParser::parseMappingExpression()
• Deprecate Twig\ExpressionParser\parseArrayExpression() in favor of
  Twig\ExpressionParser::parseSequenceExpression()
• Add sequence and mapping tests
• Deprecate Twig\Node\Expression\NameExpression::isSimple() and
  Twig\Node\Expression\NameExpression::isSpecial()

v3.10.3

Compare Source

• Fix missing ; in generated code

v3.10.2

Compare Source

• Fix support for the deprecated escaper signature

v3.10.1

Compare Source

• Fix BC break on escaper extension
• Fix constant return type

v3.10.0

Compare Source

• Make CoreExtension::formatDate, CoreExtension::convertDate, and
  CoreExtension::formatNumber part of the public API

• Add needs_charset option for filters and functions

• Extract the escaping logic from the EscaperExtension class to a new
  EscaperRuntime class.

  The following methods from Twig\\Extension\\EscaperExtension are
  deprecated: setEscaper(), getEscapers(), setSafeClasses,
  addSafeClasses(). Use the same methods on the
  Twig\\Runtime\\EscaperRuntime class instead.

• Fix capturing output from extensions that still use echo

• Fix a PHP warning in the Lexer on malformed templates

• Fix blocks not available under some circumstances

• Synchronize source context in templates when setting a Node on a Node

v3.9.3

Compare Source

• Add missing twig_escape_filter_is_safe deprecated function
• Fix yield usage with CaptureNode
• Add missing unwrap call when using a TemplateWrapper instance internally
• Ensure Lexer is initialized early on

v3.9.2

Compare Source

• Fix usage of display_end hook

v3.9.1

Compare Source

• Fix missing $blocks variable in CaptureNode

v3.9.0

Compare Source

• Add support for PHP 8.4
• Deprecate AbstractNodeVisitor
• Deprecate passing Template to Environment::resolveTemplate(), Environment::load(), and Template::loadTemplate()
• Add a new "yield" mode for output generation;
  Node implementations that use "echo" or "print" should use "yield" instead;
  all Node implementations should be flagged with #[YieldReady] once they've been made ready for "yield";
  the "use_yield" Environment option can be turned on when all nodes have been made #[YieldReady];
  "yield" will be the only strategy supported in the next major version
• Add return type for Symfony 7 compatibility
• Fix premature loop exit in Security Policy lookup of allowed methods/properties
• Deprecate all internal extension functions in favor of methods on the extension classes
• Mark all extension functions as @​internal
• Add SourcePolicyInterface to selectively enable the Sandbox based on a template's Source
• Throw a proper Twig exception when using cycle on an empty array