security: use Twig in Sandbox mode

* revert disabling of Twig functions

not enough, not the right approach

* proof of concept: twig sandboxing

* allow all twig tags, filters, functions

* allow all template accessors

* refactor: extract TwigSandbox class

* fix: add missing accessors

composer.json

@@ -8,7 +8,7 @@
     "monolog/monolog": "2.9.*",
     "symfony/yaml": "6.0.*",
     "symfony/polyfill-mbstring": "1.27.*",
-    "twig/twig": "3.6.1",
+    "twig/twig": "3.14.0",
     "geoip2/geoip2": "~2.0",
     "matomo/device-detector": "6.1.*",
     "phpunit/php-timer": "5.0.*",
@@ -17,7 +17,8 @@
     "dariuszp/cli-progress-bar": "^1.0",
     "league/csv": "9.8.0",
     "gajus/dindent": "^2.0",
-    "ramsey/uuid": "^4.7"
+    "ramsey/uuid": "^4.7",
+    "symfony/deprecation-contracts": "^3.0"
   },
   "require-dev": {
     "pear/pear_exception": "1.0.*@dev",

lib/modules/contributors/template/avatar.php

@@ -11,6 +11,7 @@
  * Requires the "Contributor" module.
  *
  * @deprecated since 2.2.0
+ *
  * @templatetag avatar
  */
 class Avatar extends Wrapper

lib/template/date_time.php

@@ -21,7 +21,9 @@ public function __construct($timestamp)
     // /////////
 
     /**
-     * $format parameter is @deprecated, use DateTime.format instead.
+     * Get date and time in default format.
+     *
+     * @accessor
      */
     public function __toString()
     {

lib/template/duration.php

@@ -20,6 +20,11 @@ public function __construct(\Podlove\Model\Episode $episode)
     // Accessors
     // /////////
 
+    /**
+     * Get default duration display.
+     *
+     * @accessor
+     */
     public function __toString()
     {
         if (!$this->totalMilliseconds()) {