Fix for dangerous tags in |map filter

Author: rhukster

CHANGELOG.md

@@ -3,6 +3,8 @@
 
 1. [](#new)
    * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
+1. [](#bugfix)
+   * * Fixed Twig `|map()` allowing code execution
 
 # v1.7.41.2
 ## 06/01/2023

system/src/Grav/Common/Twig/Extension/GravExtension.php

@@ -173,6 +173,7 @@ public function getFilters(): array
 
             // Security fix
             new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
+            new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
         ];
     }
 
@@ -1713,4 +1714,20 @@ function filterFilter(Environment $env, $array, $arrow)
 
         return twig_array_filter($env, $array, $arrow);
     }
+
+    /**
+     * @param Environment $env
+     * @param array $array
+     * @param callable|string $arrow
+     * @return array|CallbackFilterIterator
+     * @throws RuntimeError
+     */
+    function mapFilter(Environment $env, $array, $arrow)
+    {
+        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
+        }
+
+        return twig_array_map($env, $array, $arrow);
+    }
 }