π
Twig templates can call delete() on entities and other objects
Fixed
added the ability to whitelist what object methods were allowed to be called from a Twig template. These whitelists can be customized in a site's settings.php file by adding the appropriate $settings[' ... '] variable. This requires modules that need access to new method names to include extra documentation explaining how this is done and could lead to less secure code if site builders accidentally replace the default values instead of adding to them. See the
original change record β
for more details.
Allowing modules and theme's to implement a service to handle white- or blacklisting a given method call would solve this. Similar to the node access ssytem, a service could respond ALLOW/DENY/NEUTRAL, allowing core to maintain it's current list while a module could add additional method names or have even greater restrictions in situations where Twig templates may come from untrusted sources (eg: user generated).
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
There has only been two comments here in 10 years. Is there anything to do here?
I am setting the status to Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.
Thanks!