From 9d01140a63c77075ef09b26ef57cf186138151a5 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Tue, 13 Jun 2023 17:07:39 -0600
Subject: [PATCH] Fix for dangerous tags in |map filter

---
 CHANGELOG.md                                    |  2 ++
 .../Common/Twig/Extension/GravExtension.php     | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62bfeb483..ab837d5e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,8 @@
 
 1. [](#new)
    * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
+1. [](#bugfix)
+   * * Fixed Twig `|map()` allowing code execution
 
 # v1.7.41.2
 ## 06/01/2023
diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php
index cfadb0417..b4f5d70ea 100644
--- a/system/src/Grav/Common/Twig/Extension/GravExtension.php
+++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php
@@ -173,6 +173,7 @@ public function getFilters(): array
 
             // Security fix
             new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
+            new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
         ];
     }
 
@@ -1713,4 +1714,20 @@ function filterFilter(Environment $env, $array, $arrow)
 
         return twig_array_filter($env, $array, $arrow);
     }
+
+    /**
+     * @param Environment $env
+     * @param array $array
+     * @param callable|string $arrow
+     * @return array|CallbackFilterIterator
+     * @throws RuntimeError
+     */
+    function mapFilter(Environment $env, $array, $arrow)
+    {
+        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+            throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
+        }
+
+        return twig_array_map($env, $array, $arrow);
+    }
 }