2.14.0

Author: bencroker

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release Notes for Sprig
 
+## 2.14.0 - 2025-04-09
+
+- Updated htmx to version 2.0.4 ([changelog](https://github.com/bigskysoftware/htmx/blob/master/CHANGELOG.md#204---2024-12-13)).
+- The Sprig Playground component template is now rendered in a sandboxed context.
+- Fixed an information disclosure vulnerability.
+- Fixed an XSS vulnerability.
+
 ## 2.13.1 - 2024-10-23
 
 ### Changed

composer.json

@@ -1,14 +1,15 @@
 {
   "name": "putyourlightson/craft-sprig",
   "description": "A reactive Twig component framework for Craft.",
-  "version": "2.13.1",
+  "version": "2.14.0",
   "type": "craft-plugin",
   "license": "mit",
   "require": {
     "php": "^8.0.2",
     "craftcms/cms": "^4.0",
     "nystudio107/craft-code-editor": "^1.0.0",
-    "putyourlightson/craft-sprig-core": "^2.12.4"
+    "nystudio107/craft-twig-sandbox": "^4.0.2",
+    "putyourlightson/craft-sprig-core": "^2.13.0"
   },
   "require-dev": {
     "craftcms/ecs": "dev-main",

src/components/SprigPlayground.php

@@ -5,6 +5,7 @@
 use Craft;
 use craft\web\View;
 use Exception;
+use nystudio107\crafttwigsandbox\web\SandboxView;
 use putyourlightson\sprig\base\Component;
 use putyourlightson\sprig\plugin\Sprig;
 use yii\web\ForbiddenHttpException;
@@ -41,7 +42,8 @@ public function render(): string
         Craft::$app->getResponse()->getHeaders()->set('Sprig-Playground-Variables', $headerVariables);
 
         try {
-            return Craft::$app->getView()->renderString($this->_getComponent(), $variables, View::TEMPLATE_MODE_SITE, true);
+            $sandboxView = new SandboxView();
+            return $sandboxView->renderString($this->_getComponent(), $variables, View::TEMPLATE_MODE_SITE, true);
         } catch (Exception $exception) {
             return $this->_getErrorMessage($exception->getMessage());
         }

src/controllers/PlaygroundController.php

@@ -46,11 +46,11 @@ public function actionIndex(int $id = null, string $slug = null): Response
      */
     public function actionSave(): Response
     {
-        $request = Craft::$app->getRequest();
+        $this->requirePostRequest();
 
-        $name = $request->getParam('name', '');
-        $component = $request->getParam('component', '');
-        $variables = $request->getParam('variables', '');
+        $name = $this->request->getParam('name', '');
+        $component = $this->request->getParam('component', '');
+        $variables = $this->request->getParam('variables', '');
 
         $id = Sprig::$plugin->playground->save($name, $component, $variables);
 
@@ -64,11 +64,11 @@ public function actionSave(): Response
      */
     public function actionUpdate(): Response
     {
-        $request = Craft::$app->getRequest();
+        $this->requirePostRequest();
 
-        $id = $request->getParam('id');
-        $component = $request->getParam('component', '');
-        $variables = $request->getParam('variables', '');
+        $id = $this->request->getParam('id');
+        $component = $this->request->getParam('component', '');
+        $variables = $this->request->getParam('variables', '');
 
         Sprig::$plugin->playground->update($id, $component, $variables);
 
@@ -82,9 +82,9 @@ public function actionUpdate(): Response
      */
     public function actionDelete(): Response
     {
-        $request = Craft::$app->getRequest();
+        $this->requirePostRequest();
 
-        $id = $request->getParam('id');
+        $id = $this->request->getParam('id');
 
         Sprig::$plugin->playground->delete($id);