Subscribe to PHP Freaks RSS

Twig 3.27.1 released

syndicated from feeds.feedburner.com on May 30, 2026

Twig 3.27.1 is a patch release that fixes two regressions introduced by the sandbox hardening shipped in 3.27.0. Both involve how the sandbox inspects values that can be coerced to a string, and both are transparent once you upgrade.

Typed iterable arguments are no longer turned into arrays. To enforce the __toString policy on the elements yielded by a Traversable, 3.27.0 started materializing such values into plain arrays before handing them to host code. This broke functions typed against a concrete iterable class; passing a Symfony FormView to form_errors() in a sandboxed template failed with a FormView, array given type error. The sandbox now walks an IteratorAggregate in place and passes the original object through unchanged, so host code keeps receiving the type it expects while the yielded elements are still policy-checked.

Array access with a stringable key is now consistent. Accessing a mapping with an object key behaved differently depending on the compiled path: the optimized inline path threw Cannot access offset of type Stringable on array, while the regular path coerced the key to a string. The optimized path now coerces the key the same way, so the following works whatever the strict_variables setting:



{# `section` is an object implementing Stringable #}
{{ menu[section] }}

In a sandbox, that coercion goes through the __toString policy as well, so a disallowed class is rejected instead of silently slipping through.

Full Changelog

  • #4822 Fix array access with a Stringable key to coerce the key to string consistently instead of throwing in the optimized path (@fabpot)
  • #4821 Fix sandbox replacing IteratorAggregate arguments (e.g. Symfony's FormView) by a plain array (@fabpot)
Sponsor the Symfony project.