From fb72cfa78ba8d1bf3fc1a0f13802db1f4b74fbdc Mon Sep 17 00:00:00 2001 From: Dan Garner Date: Fri, 3 Oct 2025 15:24:37 +0100 Subject: [PATCH 1/2] Release prep + translations fixes xibosignage/xibo#3740 --- lib/Widget/Render/WidgetHtmlRenderer.php | 45 ++++++++++++++++++++---- 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/lib/Widget/Render/WidgetHtmlRenderer.php b/lib/Widget/Render/WidgetHtmlRenderer.php index af4a288018..1b0ed1697c 100644 --- a/lib/Widget/Render/WidgetHtmlRenderer.php +++ b/lib/Widget/Render/WidgetHtmlRenderer.php @@ -29,6 +29,8 @@ use Psr\Log\LoggerInterface; use Psr\Log\NullLogger; use Slim\Views\Twig; +use Twig\Extension\SandboxExtension; +use Twig\Sandbox\SecurityPolicy; use Xibo\Entity\Display; use Xibo\Entity\Module; use Xibo\Entity\ModuleTemplate; @@ -120,13 +122,14 @@ public function preview( array $additionalContexts = [] ): string { if ($module->previewEnabled == 1) { + $twigSandbox = $this->getTwigSandbox(); $width = $params->getDouble('width', ['default' => 0]); $height = $params->getDouble('height', ['default' => 0]); if ($module->preview !== null) { // Parse out our preview (which is always a stencil) $module->decorateProperties($widget, true); - return $this->twig->fetchFromString( + return $twigSandbox->fetchFromString( $module->preview->twig, array_merge( [ @@ -544,6 +547,9 @@ private function render( array $widgets, array $moduleTemplates ): string { + // Build a Twig Sandbox + $twigSandbox = $this->getTwigSandbox(); + // Build up some data for twig $twig = []; $twig['widgetId'] = $widgetId; @@ -709,14 +715,14 @@ private function render( $this->getLog()->debug('render: Static template to include: ' . $moduleTemplate->templateId); if ($moduleTemplate->stencil !== null) { if ($moduleTemplate->stencil->twig !== null) { - $twig['twig'][] = $this->twig->fetchFromString( + $twig['twig'][] = $twigSandbox->fetchFromString( $this->decorateTranslations($moduleTemplate->stencil->twig, $translator), $widgetData['templateProperties'], ); } if ($moduleTemplate->stencil->style !== null) { $twig['style'][] = [ - 'content' => $this->twig->fetchFromString( + 'content' => $twigSandbox->fetchFromString( $moduleTemplate->stencil->style, $widgetData['templateProperties'], ), @@ -743,7 +749,7 @@ private function render( if ($module->stencil !== null) { // Stencils have access to any module properties if ($module->stencil->twig !== null) { - $twig['twig'][] = $this->twig->fetchFromString( + $twig['twig'][] = $twigSandbox->fetchFromString( $this->decorateTranslations($module->stencil->twig, null), array_merge($modulePropertyValues, ['settings' => $module->getSettingsForOutput()]), ); @@ -757,14 +763,14 @@ private function render( ]; } if ($module->stencil->head !== null) { - $twig['head'][] = $this->twig->fetchFromString( + $twig['head'][] = $twigSandbox->fetchFromString( $this->decorateTranslations($module->stencil->head, null), $modulePropertyValues, ); } if ($module->stencil->style !== null) { $twig['style'][] = [ - 'content' => $this->twig->fetchFromString( + 'content' => $twigSandbox->fetchFromString( $module->stencil->style, $modulePropertyValues, ), @@ -1012,4 +1018,31 @@ public function clearWidgetCache(Widget $widget) . $unexpectedValueException->getMessage()); } } + + /** + * Get a Twig Sandbox + * @return \Slim\Views\Twig + * @throws \Twig\Error\LoaderError + */ + private function getTwigSandbox(): Twig + { + // Create a Twig Environment with a Sandbox + $sandbox = Twig::create([ + PROJECT_ROOT . '/modules', + PROJECT_ROOT . '/custom', + ], [ + 'cache' => false, + ]); + + // Configure a security policy + // Create a new security policy + $policy = new SecurityPolicy(); + $policy->setAllowedTags(['if', 'for', 'set']); + $policy->setAllowedFilters(['escape', 'raw', 'url_decode']); + + // Create a Sandbox + $sandbox->addExtension(new SandboxExtension($policy, true)); + + return $sandbox; + } } From 9a78b7258a8abf69d8611cb234acaabd8c6312a6 Mon Sep 17 00:00:00 2001 From: Dan Garner Date: Fri, 3 Oct 2025 15:40:11 +0100 Subject: [PATCH 2/2] Misc fixes for 4.3 fixes xibosignage/xibo#3740 --- modules/subplaylist.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/subplaylist.xml b/modules/subplaylist.xml index 62e8c6322d..79e617f079 100644 --- a/modules/subplaylist.xml +++ b/modules/subplaylist.xml @@ -1,5 +1,5 @@