From d34213232bd32d29c94b74267352b57d5a68cea3 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Fri, 12 Dec 2025 16:20:35 -0700
Subject: [PATCH] avoid mail in twig content trigger security error

Signed-off-by: Andy Miller <rhuk@mac.com>
---
 system/src/Grav/Common/Security.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/system/src/Grav/Common/Security.php b/system/src/Grav/Common/Security.php
index 97433a9cf..74021366b 100644
--- a/system/src/Grav/Common/Security.php
+++ b/system/src/Grav/Common/Security.php
@@ -379,7 +379,8 @@ class Security
             ];
 
             // Build combined patterns (compile once, use many times)
-            $quotedFunctions = array_map(fn($f) => preg_quote($f, '/'), $bad_twig_functions);
+            // Use word boundaries to avoid false positives (e.g., 'mail' matching 'email')
+            $quotedFunctions = array_map(fn($f) => '\b' . preg_quote($f, '/') . '\b', $bad_twig_functions);
             $functionsPattern = implode('|', $quotedFunctions);
 
             // Pattern for functions in Twig blocks