Merge branch 'release/5.0.3' into v5

Author: khalwat

CHANGELOG.md

@@ -2,7 +2,15 @@
 
 All notable changes to this project will be documented in this file.
 
-## 5.0.2 -2025.02.17
+## 5.0.3 - 2025.06.08
+### Added
+* Add an example `config/blacklist-sandbox.php` and `config/whitelist-sandbox.php` files for user-customizable Twig sandbox environments
+* Add `SecurityPolicy::createFromFile()` to create a new Twig sandbox from a config file in the `config/` directory
+
+### Changed
+* Cleaned up the `BlacklistSecurityPolicy` to no longer blacklist innocuous tags/filters/functions
+
+## 5.0.2 - 2025.02.17
 ### Added
 * Craft Twig Sandbox no longer automatically handles exceptions when rendering sandbox templates. Instead, you can decide whether to handle the exception yourself, or pass it along to the `sandboxErrorHandler` for display in the browser/console
 

README.md

@@ -224,6 +224,42 @@ If you want all properties or methods to be able to be accessed on a given objec
    ],
 ```
 
+### SecurityPolicy from a config file
+
+Often you'll want to provide a sane Twig sandbox, but also allow your users to add or remove from the policy as they see fit.
+
+To make this easy to do, there is a `SecurityPolicy::createFromFile()` helper method to create a sandbox security policy from a config file:
+```php
+    public static function createFromFile(string $filePath, ?string $alias = null): BaseSecurityPolicy
+```
+
+You pass it in a `$filePath`, and it will look for a file of that name (with `.php` added to the end of it) in the `craft/config/` directory. If no file is found, it will then also try to resolve the optional `$alias` and look for the file in that directory.
+
+If the file still is not found, it will return a default `BlacklistSecurityPolicy`.
+
+The config file is a standard [Yii2 Object Configuration file](https://www.yiiframework.com/doc/guide/2.0/en/concept-configurations).
+
+Example files you can copy & rename exists in the `craft-twig-standbox` codebase in `src/config/`, as `blacklist-sandbox.php` and `whitelist-sandbox-php`.
+
+These are the default files that are used to create the respective security policies when you allocate a new `BlacklistSecurityPolicy` or `WhitelistSecurityPolicy`, and pass in no object configuration. 
+
+So for a practical example, the author of the SEOmatic plugin would copy the `config/blacklist-sandbox.php` file to that plugin's `src/` directory as `seomatic-sandbox.php`, and put in any customizations that they might want there.
+
+Then they could direct their users to copy the `seomatic-sandbox.php` file to their `craft/config/` directory if they wanted to make any customizations to it.
+
+Then to create the sandbox view in the plugin, they would do:
+
+```php
+use nystudio107\crafttwigsandbox\helpers\SecurityPolicy;
+
+$securityPolicy = SecurityPolicy::createFromFile('seomatic-sandbox', '@nystudio107/seomatic');
+$sandboxView = new SandboxView(['securityPolicy' => $securityPolicy]);
+```
+
+This will cause it to create the sandbox from the `seomatic-sandbox.php` file in the `craft/config/` directory (if it exists), and if it does not exist, it will load the config file from the `seomatic-sandbox.php` in the `@nystudio107/seomatic` directory (which points to the plugin's source).
+
+Craft automatically creates a namespaced alias for each plugin.
+
 ### Custom SecurityPolicy
 
 You can also create your own custom `SecurityPolicy` to use, it just needs to conform to the Twig [`SecurityPolicyInterface`](https://github.com/twigphp/Twig/blob/3.x/src/Sandbox/SecurityPolicyInterface.php):

composer.json

@@ -1,7 +1,7 @@
 {
   "name": "nystudio107/craft-twig-sandbox",
   "description": "Allows you to easily create a sandboxed Twig environment where you can control what tags, filters, functions, and object methods/properties are allowed",
-  "version": "5.0.2",
+  "version": "5.0.3",
   "keywords": [
     "craft",
     "cms",

src/config/blacklist-sandbox.php

@@ -0,0 +1,140 @@
+<?php
+
+/**
+ * SecurityPolicy config.php
+ *
+ * This file exists only as a template for a sandbox configuration.
+ * It does nothing on its own.
+ *
+ * Don't edit this file, instead copy it to 'craft/config' as 'xxxx-sandbox.php'
+ * and make your changes there to override default settings.
+ *
+ * The idea is that this allows for a user-editable config file so that users
+ * can customize the Twig sandbox that your application uses.
+ */
+
+use nystudio107\crafttwigsandbox\twig\BlacklistSecurityPolicy;
+
+return [
+    'class' => BlacklistSecurityPolicy::class,
+    'twigTags' => [
+        'autoescape',
+        'block',
+        'deprecated',
+        'do',
+        'embed',
+        'extends',
+        'flush',
+        'from',
+        'import',
+        'include',
+        'macro',
+        'sandbox',
+        'use',
+        'verbatim',
+        'cache',
+        'css',
+        'dd',
+        'dump',
+        'exit',
+        'header',
+        'hook',
+        'html',
+        'js',
+        'namespace',
+        'nav',
+        'paginate',
+        'redirect',
+        'requireAdmin',
+        'requireEdition',
+        'requireGuest',
+        'requireLogin',
+        'requirePermission',
+        'script',
+        'tag',
+    ],
+    'twigFilters' => [
+        'convert_encoding',
+        'data_uri',
+        'filter',
+        'inky_to_html',
+        'inline_css',
+        'map',
+        'merge',
+        'reduce',
+        'sort',
+        'spaceless',
+        'url_encode',
+        'append',
+        'attr',
+        'base64_decode',
+        'base64_encode',
+        'column',
+        'encenc',
+        'filesize',
+        'filter',
+        'hash',
+        'json_encode',
+        'json_decode',
+        'multisort',
+        'namespace',
+        'ns',
+        'namespaceAttributes',
+        'namespaceInputId',
+        'namespaceInputName',
+        'parseAttr',
+        'parseRefs',
+        'prepend',
+        'removeClass',
+        'where',
+    ],
+    'twigFunctions' => [
+        'attribute',
+        'block',
+        'constant',
+        'cycle',
+        'dump',
+        'html_classes',
+        'parent',
+        'source',
+        'template_from_string',
+        'actionInput',
+        'alias',
+        'beginBody',
+        'block',
+        'canCreateDrafts',
+        'canDelete',
+        'canDeleteForSite',
+        'canDuplicate',
+        'canSave',
+        'canView',
+        'ceil',
+        'className',
+        'clone',
+        'combine',
+        'configure',
+        'constant',
+        'create',
+        'csrfInput',
+        'dump',
+        'endBody',
+        'expression',
+        'failMessageInput',
+        'getenv',
+        'gql',
+        'head',
+        'hiddenInput',
+        'input',
+        'parseBooleanEnv',
+        'parseEnv',
+        'plugin',
+        'redirectInput',
+        'renderObjectTemplate',
+        'source',
+        'successMessageInput',
+    ],
+    'twigMethods' => [
+    ],
+    'twigProperties' => [
+    ],
+];

src/config/whitelist-sandbox.php

@@ -0,0 +1,84 @@
+<?php
+
+/**
+ * SecurityPolicy config.php
+ *
+ * This file exists only as a template for a sandbox configuration.
+ * It does nothing on its own.
+ *
+ * Don't edit this file, instead copy it to 'craft/config' as 'xxxx-sandbox.php'
+ * and make your changes there to override default settings.
+ *
+ * The idea is that this allows for a user-editable config file so that users
+ * can customize the Twig sandbox that your application uses.
+ */
+
+use nystudio107\crafttwigsandbox\twig\WhitelistSecurityPolicy;
+
+return [
+    'class' => WhitelistSecurityPolicy::class,
+    'twigTags' => [
+        'for',
+        'if',
+        'set',
+    ],
+    'twigFilters' => [
+        'capitalize',
+        'date',
+        'escape',
+        'first',
+        'join',
+        'keys',
+        'last',
+        'length',
+        'lower',
+        'markdown',
+        'nl2br',
+        'number_format',
+        'raw',
+        'replace',
+        'sort',
+        'split',
+        'striptags',
+        'title',
+        'trim',
+        'upper',
+        'camel',
+        'contains',
+        'currency',
+        'date',
+        'datetime',
+        'id',
+        'index',
+        'indexOf',
+        'kebab',
+        'lcfirst',
+        'length',
+        'markdown',
+        'md',
+        'merge',
+        'money',
+        'pascal',
+        'percentage',
+        'purify',
+        'snake',
+        'time',
+        'timestamp',
+        'translate',
+        't',
+        'ucfirst',
+        'ucwords',
+    ],
+    'twigFunctions' => [
+        'date',
+        'max',
+        'min',
+        'random',
+        'range',
+        'collect',
+    ],
+    'twigMethods' => [
+    ],
+    'twigProperties' => [
+    ],
+];

src/helpers/SecurityPolicy.php

@@ -0,0 +1,89 @@
+<?php
+
+namespace nystudio107\crafttwigsandbox\helpers;
+
+use Craft;
+use craft\helpers\ArrayHelper;
+use craft\helpers\StringHelper;
+use nystudio107\crafttwigsandbox\twig\BaseSecurityPolicy;
+use nystudio107\seomatic\Seomatic;
+use function is_array;
+
+class SecurityPolicy
+{
+    // Static Methods
+    // =========================================================================
+
+    public static function createFromFile(string $filePath, ?string $alias = null): BaseSecurityPolicy
+    {
+        $config = self::getConfigFromFile($filePath, $alias);
+
+        return Craft::createObject($config);
+    }
+
+    /**
+     * Loads a config file from, trying @craft/config first, then falling back on
+     * the provided $alias, if any
+     *
+     * @param string $filePath
+     * @param string|null $alias
+     *
+     * @return array
+     */
+    public static function getConfigFromFile(string $filePath, ?string $alias = null): array
+    {
+        // Try craft/config first
+        $path = self::getConfigFilePath('@config', $filePath);
+        if (!file_exists($path)) {
+            if (!$alias) {
+                return [];
+            }
+            // Now the additional alias config
+            $path = self::getConfigFilePath($alias, $filePath);
+            if (!file_exists($path)) {
+                return [];
+            }
+        }
+
+        if (!is_array($config = @include $path)) {
+            return [];
+        }
+
+        // If it's not a multi-environment config, return the whole thing
+        if (!array_key_exists('*', $config)) {
+            return $config;
+        }
+
+        $mergedConfig = [];
+        /** @var array $config */
+        foreach ($config as $env => $envConfig) {
+            if ($env === '*' || StringHelper::contains(Seomatic::$environment, $env)) {
+                $mergedConfig = ArrayHelper::merge($mergedConfig, $envConfig);
+            }
+        }
+
+        return $mergedConfig;
+    }
+
+    // Private Methods
+    // =========================================================================
+
+    /**
+     * Return a path from an alias and a partial path
+     *
+     * @param string $alias
+     * @param string $filePath
+     *
+     * @return string
+     */
+    private static function getConfigFilePath(string $alias, string $filePath): string
+    {
+        $path = DIRECTORY_SEPARATOR . ltrim($filePath, DIRECTORY_SEPARATOR);
+        $path = Craft::getAlias($alias)
+            . DIRECTORY_SEPARATOR
+            . str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path)
+            . '.php';
+
+        return $path;
+    }
+}