PhpWriter: complex expression in strings prohibited in sandbox mode

Author: dg

src/Latte/Compiler/PhpWriter.php

@@ -226,6 +226,14 @@ public function validateTokens(MacroTokens $tokens): void
 			} elseif ($tokens->isCurrent('`')) {
 				throw new CompileException('Backtick operator is forbidden in Latte.');
 
+			} elseif (
+				$this->policy
+				&& $tokens->isCurrent($tokens::T_STRING)
+				&& $tokenValue[0] === '"'
+				&& (strpos($tokenValue, '{$') !== false || strpos($tokenValue, '${') !== false)
+			) {
+				throw new CompileException('Forbidden complex expressions in strings.');
+
 			} elseif (
 				Helpers::startsWith($tokenValue, '$ʟ_')
 				|| ($this->policy && $tokens->isCurrent('$this'))

tests/Latte/Policy.violations.phpt

@@ -128,3 +128,15 @@ Assert::exception(function () use ($latte) {
 Assert::exception(function () use ($latte) {
 	$latte->compile('{do new stdClass}');
 }, Latte\CompileException::class, "Forbidden keyword 'new' inside tag.");
+
+Assert::exception(function () use ($latte) {
+	$latte->compile('{="{$var}"}');
+}, Latte\CompileException::class, 'Forbidden complex expressions in strings.');
+
+Assert::exception(function () use ($latte) {
+	$latte->compile('{="${var}"}');
+}, Latte\CompileException::class, 'Forbidden complex expressions in strings.');
+
+Assert::noError(function () use ($latte) {
+	$latte->compile('{=\'${var}\'}');
+});