Twig 4.0 replaces the getOperators() array with expression parser classes, all driven by one small and beautiful parsing algorithm.
June 17, 2026
#Twig
❤️ 5
👍 3
🚀 4
Twig 4.0 closes the sandbox blind spots: tests are now checked, silent exceptions are gone, and safe callables can be marked always allowed.
June 15, 2026
#Twig
👍 6
🚀 2
For Twig 4.0, I rebuilt the whole loop machinery: loop.last now works with any iterator, new helpers replace the bookkeeping code we have all written a hundred times, the if condition makes a comeback, and recursive loops become a first-class feature.
June 11, 2026
#Twig
❤️ 20
👍 5
🚀 8
🎉 7
Sandbox `__toString()` policy bypass via dynamic mapping keys
May 27, 2026
#Twig
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
May 27, 2026
#Twig
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` filters and via the `in`/`not in` operators
May 27, 2026
#Twig
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026
#Twig
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
May 27, 2026
#Twig