Contrib.social

Add $entity->toUrl() and $entity->toLink() methods to allowed methods list in Twig sandbox policy

Open on Drupal.org →
Created on 10 September 2017, over 7 years ago
Updated 16 October 2023, about 1 year ago

Problem/Motivation

It would be wonderful to be able to access the toLink() and toUrl() entity methods directly inside a Twig template (like label(), id(), get*(), and a few others).

Steps to reproduce

Try to generate a link to an entity directly in a Twig template.

Proposed resolution

Add EntityInterface::toLink() and EntityInterface::toUrl() to the allowed functions in the Twig sandbox policy.

Remaining tasks

  1. Rescope the issue and implementation.
  2. Make sure the test coverage is sufficient.
  3. Reviews / refinements.
  4. RTBC.

User interface changes

None.

API changes

None.

Data model changes

None.

Release notes snippet

TBD.

Original report by @Chi

I suppose this has no security implications.

Feature request
Status

Needs work

Version

11.0 🔥

Component
Theme 

Last updated 4 days ago

Created by

🇷🇺Russia Chi

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago
    🇳🇱Netherlands seanB Netherlands

    Reroll for 10.1

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & MySQL 8
    last update about 1 year ago
    29,632 pass, 4 fail
  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & MySQL 8
    last update about 1 year ago
    Custom Commands Failed
  • Comment 9 months ago
    🇬🇧United Kingdom longwave UK

    Just run into this again after an internal discussion where we debated Twig vs PHP:

    {{ url('entity.node.canonical', { 'node': node.id }) }}

    or

    $variables['node_url'] = $node->toUrl()->setAbsolute()->toString();

    I couldn't believe there wasn't a simpler way, and then I found this issue again.

    I would also note that the url() Twig function already assumes all URLs will be absolute:

        $options['absolute'] = TRUE;
    $generated_url = $this->urlGenerator->generateFromRoute($name, $parameters, $options, TRUE);

    +++ b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php
@@ -56,15 +58,29 @@ public function __construct() {
-      'id',
-      'label',
-      'bundle',
-      'get',
-      '__toString',
-      'toString',
+      EntityInterface::class . '::id',
+      EntityInterface::class . '::label',
+      EntityInterface::class . '::bundle',
+      EntityInterface::class . '::toLink',
+      EntityInterface::class . '::toUrl',

    I think we could sidestep this and the BC and deprecation issues if we just assume that a method name (without ::) also means "any class"?

  • Comment 4 months ago
    🇭🇺Hungary peter_serfozo

    Reroll for 10.3 without tests

  • Comment 30 days ago
    🇳🇱Netherlands Remco Hoeneveld

    Reroll for 10.3 with latest changes applied from issues/3487031 🐛 Performance Degraded after update to twig 3.14.2 Active

  • Comment 18 days ago
    🇺🇸United States dww

    📌 Harden TwigSandbox methods Needs work is nearly ready. We should postpone this issue on getting that committed, first.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024