Arrow function (aka "Lambda Expression" or "Anonymous Function") support in Symfony Expression Language component.
(a) -> { a * 2 }
^ ^ ^
| | '----- Function body is a single expression that can make use of passed parameters or global variables.
| '------------ The lambda operator - input parameters are to the left and the output expression to the right.
'--------------- Comma-separated list of parameters passed to arrow function.
Returning callbacks can be dangerous in PHP. If the returned value is not checked, PHP may end up executing arbitrary global functions, static class methods or object methods.
$language = new ExpressionLanguage();
$expression = '(value) -> { value > 20 }';
$filter = $language->evaluate($expression);
$values = array_filter([18, 23, 40], $filter);
If $expression
returns a string or array, array_filter()
will arbitrarily call whatever was returned.
There are two solutions:
- Set the type declaration of methods using the callback to
Closure
(notCallable
!) - prone to mistakes and quite risky. - The engine returns the callback wrapped in an object that cannot be invoked by default - this is the safest option (and default one).