Incompatibility with twig 3.9
jderusse opened this issue · comments
Since twigphp/Twig#3999 we cannot use ob_
method to get the generated output.
As a result, the the output generated by the CSPNode is empty.
Which lead to an exception Invalid script, you should use a single <script> tag.
My template twig is:
{% cspscript %}
<script>
alert('foo')
</script>
{% endcspscript %}
the generated PHP code is
// line 315
yield " ";
ob_start();
yield " <script>
alert('foo')
</script>
";
$this->env->getRuntime('Nelmio\SecurityBundle\Twig\CSPRuntime')->getListener()->addSha('script-src', 'sha384-Ee2u6OPPCwK16NVPQ56ORx7yfwYmCmO+bYzRi4OsT+wo/iiP9f8p/+7GNTdT2++t');
echo ob_get_clean();
// line 320
yield " ";
The content of ob_get_clean();
is ""
.
Yup, most of my pipelines are failing this week because of this update to Twig. Because our default, and enforced, security policy is to use NelmioSecurityBundle , this has quite an impact.
Thanks to @jderusse for the fix/improvement. Let's get it merged!