Deprecate enableTwigSandbox()

Author: riasvdv

src/Config/GeneralConfig.php

@@ -1240,24 +1240,6 @@ class GeneralConfig extends BaseConfig
      */
     public bool $enableTemplateCaching = true;
 
-    /**
-     * @var bool Whether all Twig templates should be sandboxed.
-     *
-     * ::: code
-     * ```php Static Config
-     * ->enableTwigSandbox(false)
-     * ```
-     * ```shell Environment Override
-     * CRAFT_ENABLE_TWIG_SANDBOX=false
-     * ```
-     * :::
-     *
-     * @see enableTwigSandbox()
-     *
-     * @group Security
-     */
-    public bool $enableTwigSandbox = false;
-
     /**
      * @var string The prefix that should be prepended to HTTP error status codes when determining the path to look for an error’s template.
      *
@@ -4747,9 +4729,10 @@ public function enableTemplateCaching(bool $value = true): self
      *
      * @see $enableTwigSandbox
      */
+    #[Deprecated(message: 'in 6.0.0. Sandbox is always enabled.')]
     public function enableTwigSandbox(bool $value = true): self
     {
-        $this->enableTwigSandbox = $value;
+        app()->booting(fn () => Deprecator::log('generalConfig.enableTwigSandbox', 'Calling enableTwigSandbox() is deprecated. Sandbox is always enabled.'));
 
         return $this;
     }

yii2-adapter/legacy/web/View.php

@@ -432,7 +432,7 @@ public function createTwig(): Environment
         $twig->getRuntime(EscaperRuntime::class)->addSafeClass($safeClass, ['html']);
 
         // Even an empty security policy will prevent non-closures from being allowed as arrow functions
-        $twig->addExtension(new SandboxExtension(new SecurityPolicy(), Cms::config()->enableTwigSandbox));
+        $twig->addExtension(new SandboxExtension(new SecurityPolicy(), true));
 
         $twig->addExtension(new StringLoaderExtension());
         $twig->addExtension(new Extension($this, $twig));