Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame^] | 1 | <?php |
| 2 | |
| 3 | /* |
| 4 | * This file is part of Twig. |
| 5 | * |
| 6 | * (c) Fabien Potencier |
| 7 | * |
| 8 | * For the full copyright and license information, please view the LICENSE |
| 9 | * file that was distributed with this source code. |
| 10 | */ |
| 11 | |
| 12 | namespace Twig\TokenParser; |
| 13 | |
| 14 | use Twig\Error\SyntaxError; |
| 15 | use Twig\Node\IncludeNode; |
| 16 | use Twig\Node\Node; |
| 17 | use Twig\Node\SandboxNode; |
| 18 | use Twig\Node\TextNode; |
| 19 | use Twig\Token; |
| 20 | |
| 21 | /** |
| 22 | * Marks a section of a template as untrusted code that must be evaluated in the sandbox mode. |
| 23 | * |
| 24 | * {% sandbox %} |
| 25 | * {% include 'user.html' %} |
| 26 | * {% endsandbox %} |
| 27 | * |
| 28 | * @see https://twig.symfony.com/doc/api.html#sandbox-extension for details |
| 29 | * |
| 30 | * @internal |
| 31 | */ |
| 32 | final class SandboxTokenParser extends AbstractTokenParser |
| 33 | { |
| 34 | public function parse(Token $token): Node |
| 35 | { |
| 36 | $stream = $this->parser->getStream(); |
| 37 | $stream->expect(/* Token::BLOCK_END_TYPE */ 3); |
| 38 | $body = $this->parser->subparse([$this, 'decideBlockEnd'], true); |
| 39 | $stream->expect(/* Token::BLOCK_END_TYPE */ 3); |
| 40 | |
| 41 | // in a sandbox tag, only include tags are allowed |
| 42 | if (!$body instanceof IncludeNode) { |
| 43 | foreach ($body as $node) { |
| 44 | if ($node instanceof TextNode && ctype_space($node->getAttribute('data'))) { |
| 45 | continue; |
| 46 | } |
| 47 | |
| 48 | if (!$node instanceof IncludeNode) { |
| 49 | throw new SyntaxError('Only "include" tags are allowed within a "sandbox" section.', $node->getTemplateLine(), $stream->getSourceContext()); |
| 50 | } |
| 51 | } |
| 52 | } |
| 53 | |
| 54 | return new SandboxNode($body, $token->getLine(), $this->getTag()); |
| 55 | } |
| 56 | |
| 57 | public function decideBlockEnd(Token $token): bool |
| 58 | { |
| 59 | return $token->test('endsandbox'); |
| 60 | } |
| 61 | |
| 62 | public function getTag(): string |
| 63 | { |
| 64 | return 'sandbox'; |
| 65 | } |
| 66 | } |