Skip to content

« Twig » blog posts

Updates and new features of the Twig template language used in Symfony and PHP applications.

Twig 4.0 replaces the getOperators() array with expression parser classes, all driven by one small and beautiful parsing algorithm.
June 17, 2026 #Twig ❤️ 5 👍 3 🚀 4
Twig 4.0 closes the sandbox blind spots: tests are now checked, silent exceptions are gone, and safe callables can be marked always allowed.
June 15, 2026 #Twig 👍 6 🚀 2
For Twig 4.0, I rebuilt the whole loop machinery: loop.last now works with any iterator, new helpers replace the bookkeeping code we have all written a hundred times, the if condition makes a comeback, and recursive loops become a first-class feature.
June 11, 2026 #Twig ❤️ 20 👍 5 🚀 8 🎉 7
Twig 3.27.1 released
May 30, 2026 #Twig 👍 1
Sandbox `__toString()` policy bypass via dynamic mapping keys
May 27, 2026 #Twig
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
May 27, 2026 #Twig
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` filters and via the `in`/`not in` operators
May 27, 2026 #Twig
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026 #Twig
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
May 27, 2026 #Twig
Twig 3.27.0 released
May 27, 2026 #Twig 👍 1