form/process/save/body default setting does not pass security check

[canuckdev]

Using latest dev image, I notice the form/process/save/body default setting does not pass security check as it uses the include tag.

So

    process:
        save:
          body: "{% include 'forms/data.txt.twig' %}" # include tag is blocked by security!

can be the text in forms/data.txt.twig

    process:
        save:
          body: "{% extends 'forms/default/data.txt.twig' %}" # include tag is blocked by security!

[canuckdev]

Security check is in system/src/Grav/Common/Twig/Twig.php processString() function.

[Xoriander]

The security check which blocks the include tag was introduced in Grav 1.8.0-beta.27:

grav/system/src/Grav/Common/Security.php

Lines 279 to 284 in 0f879bd

	/**
	* Get compiled dangerous Twig patterns (cached for performance)
	*
	* @return array{functions: string, properties: string, calls: string, join: string}
	*/
	private static function getDangerousTwigPatterns(): array

For the email body include tag the blocking issue was fixed: getgrav/grav-plugin-email@e928a0b

It seems to be there is no fix for the grav-plugin-form at the moment:
https://github.com/getgrav/grav-plugin-form/blob/514e2479b3b59adea3da36e5a640b8a2b1286af5/form.php#L666-L671

[canuckdev]

Thanks. I confirm that's what I observed, that email body with include works fine.