Giters

nelmio / NelmioSecurityBundle

Adds extra security-related features in your Symfony application

Home Page:https://symfony.com/bundles/NelmioSecurityBundle/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Incompatibility with twig 3.9

jderusse opened this issue · comments

commented

Since twigphp/Twig#3999 we cannot use ob_ method to get the generated output.
As a result, the the output generated by the CSPNode is empty.
Which lead to an exception Invalid script, you should use a single <script> tag.

My template twig is:

            {% cspscript %}
                <script>
                  alert('foo')
                </script>
            {% endcspscript %}

the generated PHP code is


        // line 315
        yield "            ";
        ob_start();
        yield "                <script>
                  alert('foo')
                </script>
            ";
        $this->env->getRuntime('Nelmio\SecurityBundle\Twig\CSPRuntime')->getListener()->addSha('script-src', 'sha384-Ee2u6OPPCwK16NVPQ56ORx7yfwYmCmO+bYzRi4OsT+wo/iiP9f8p/+7GNTdT2++t');
echo ob_get_clean();
        // line 320
        yield "        ";

The content of ob_get_clean(); is "".

commented

Yup, most of my pipelines are failing this week because of this update to Twig. Because our default, and enforced, security policy is to use NelmioSecurityBundle , this has quite an impact.

Thanks to @jderusse for the fix/improvement. Let's get it merged!