Using the Twig Sandbox Extension

Twig offers a Sandbox extension that enables the use of the {% sandbox %} tag with the {% include %} and {% include_content %} tags.

This extension is particularly useful for controlling which tags, filters, and functions are allowed within templates, enhancing security during dynamic template rendering.

To configure and use the Twig Sandbox extension in your OXID eShop, perform the following steps.

Procedure

1. Create a sandbox extension factory.

   class SandboxExtensionFactory
   {
       public static function getExtension(): Twig\Extension\SandboxExtension
       {
           $policy = new Twig\Sandbox\SecurityPolicy(
               allowedTags: ['for'],
               allowedFilters: ['escape', 'raw'],
               allowedFunctions: ['range'],
           );
           return new Twig\Extension\SandboxExtension($policy);
       }
   }
   

2. To register the sandbox extension, define the necessary services in your component’s or module’s services.yaml file as follows:

   ACME\Twig\Extensions\SandboxExtensionFactory:
     class: ACME\Twig\Extensions\SandboxExtensionFactory
   
   Twig\Extension\SandboxExtension:
     factory: ['ACME\Twig\Extensions\SandboxExtensionFactory', 'getExtension']
     tags: [ 'twig.extension' ]
   

3. Clear the cache.

   vendor/bin/oe-console oe:cache:clear
   

4. To enforce the sandbox policy, wrap template includes with the {% sandbox %} tag.

   {% sandbox %}
       {% include 'user.html.twig' %}
   {% endsandbox %}
   
   # Or
   
   {% sandbox %}
       {% include_content "sandbox_test" %}
   {% endsandbox %}
   

5. Templates that do not comply with the defined sandbox policy will trigger a Twig\Sandbox\SecurityError exception.