CVE-2026-46634: Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

When the sandbox is enabled selectively via SourcePolicyInterface (and not globally), a sandboxed template that is allowed to call template_from_string and include can render an arbitrary inner template with no security policy enforcement.

Environment::createTemplate() compiles the inner string under a synthesized name (__string_template__<hash>), so a name/path-based SourcePolicy returns false for it, and the inner template’s checkSecurity() becomes a no-op. From a template the integrator believes is sandboxed, an attacker can use any tag/filter/function (including constant() to read secrets, or |map("system") to execute shell commands).