From 3a27a3ba73b198ebc6aded5343ca7d0c299f698d Mon Sep 17 00:00:00 2001
From: osaajani <>
Date: Fri, 3 Apr 2020 21:01:18 +0200
Subject: [PATCH] Fix major security issue with twig, sandbox was incorrectly
 set and was allowing code injection

---
 controllers/internals/Templating.php | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/controllers/internals/Templating.php b/controllers/internals/Templating.php
index 77a4413..158e7a8 100644
--- a/controllers/internals/Templating.php
+++ b/controllers/internals/Templating.php
@@ -32,9 +32,9 @@ namespace controllers\internals;
 
             $filters = [
                 'abs', 'capitalize', 'country_name', 'currency_name',
-                'currency_symbol', 'date', 'date_modify', 'default',
+                'currency_symbol', 'date', 'date_modify', 'default', 'escape',
                 'first', 'format', 'format_currency', 'format_datetime',
-                'format_number', 'join', 'keys', 'language_name',
+                'format_number', 'join', 'json_encode', 'keys', 'language_name',
                 'last', 'length', 'locale_name', 'lower', 'number_format',
                 'replace', 'reverse', 'round', 'slice',
                 'sort', 'spaceless', 'split', 'timezone_name',
@@ -68,7 +68,17 @@ namespace controllers\internals;
                     'template' => $template,
                 ]);
 
-                $twig = new \Twig\Environment($loader);
+                $twig = new \Twig\Environment($loader, [
+                    'debug' => false,
+                    'charset' => 'utf-8',
+                    'cache' => false,
+                    'auto_reload' => false,
+                    'strict_variables' => false,
+                    'autoescape' => false,
+                    'optimizations' => -1,
+                ]);
+
+                $twig->addExtension($this->sandbox);
                 $result = $twig->render('template', $datas);
 
                 return [