Fixed #15278

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 - Fixed a JavaScript error that occurred when creating a new custom element source, preventing the Default Sort and Default Table Columns fields from showing up.
 - Fixed a bug where the control panel was getting asynchronous CSRF inputs if the `asyncCsrfInputs` config setting was enabled.
+- Fixed a bug where Craft’s Twig implementation wasn’t respecting sandboxing rules for object properties. ([#15278](https://github.com/craftcms/cms/issues/15278))
 
 ## 4.10.3 - 2024-06-27
 

src/helpers/Template.php

@@ -14,6 +14,7 @@
 use craft\web\View;
 use Twig\Environment;
 use Twig\Error\RuntimeError;
+use Twig\Extension\SandboxExtension;
 use Twig\Markup;
 use Twig\Source;
 use Twig\Template as TwigTemplate;
@@ -127,7 +128,13 @@ public static function attribute(
             $object instanceof BaseObject &&
             $object->canGetProperty($item)
         ) {
-            return $isDefinedTest ? true : $object->$item;
+            if ($isDefinedTest) {
+                return true;
+            }
+            if ($sandboxed) {
+                $env->getExtension(SandboxExtension::class)->checkPropertyAllowed($object, $item, $lineno, $source);
+            }
+            return $object->$item;
         }
 
         // Convert any \Twig\Markup arguments back to strings (unless the class *extends* \Twig\Markup)