smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-04 18:34:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

updated security to not include insecure docs, only warning

Browse Source
This commit is contained in:
mohrt
2001-07-11 20:50:43 +00:00
parent 565e80a66c
commit 1636977970
5 changed files with 374 additions and 341 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
FAQ
View File

@@ -67,11 +67,6 @@ A: Be sure you set $compile_check=false once your templates are initially
it doesn't do unnecessary work (like db calls) if a cached page is it doesn't do unnecessary work (like db calls) if a cached page is
available. See the documentation for examples. available. See the documentation for examples.
Q: Can I use Macromedia's Dreamweaver to edit my templates?
A: Certainly. You might want to change your tag delimiters from {} to something
that resembles valid HTML, like <!--{ }--> or <{ }> or something similar.
This way the editor won't view the template tags as errors.
Q: Do you have a mailing list? Q: Do you have a mailing list?
A: Yes. Subscribe by sending an e-mail to subscribe-smarty@lists.ispi.net. This A: Yes. Subscribe by sending an e-mail to subscribe-smarty@lists.ispi.net. This
is also archived at http://marc.theaimsgroup.com/?l=smarty&r=1&w=2 is also archived at http://marc.theaimsgroup.com/?l=smarty&r=1&w=2
@@ -144,3 +139,17 @@ A: The easiest thing to do is grab all of PEAR and install it locally for your
own use. There's nothing that says PEAR must be installed in its default own use. There's nothing that says PEAR must be installed in its default
directory. There won't be a version of Smarty that runs without PEAR, as it directory. There won't be a version of Smarty that runs without PEAR, as it
dependant on it, and may become moreso in the future. dependant on it, and may become moreso in the future.
DREAMWEAVER
-----------
Q: Can I use Macromedia's Dreamweaver to edit my templates?
A: Certainly. You might want to change your tag delimiters from {} to something
that resembles valid HTML, like <!--{ }--> or <{ }> or something similar.
This way the editor won't view the template tags as errors.
Q: Dreamweaver is urlencoding the template delimiters when they are in a SRC or
HREF link. How do I get around this?
A: In Edit - Properties - Rewrite HTML you can specify if Dreamweaver should
change special letters to %-equivalent or not. The default is on which
produces this error.

2
NEWS
View File

@@ -1,5 +1,7 @@
Version 1.4.4 Version 1.4.4
------------- -------------
- fixed problem with including insecure templates with security enabled
(Monte)
- numerous documentation updates. (Monte) - numerous documentation updates. (Monte)
- added ENT_QUOTES to escapement of html. (Monte, Sam Beckwith) - added ENT_QUOTES to escapement of html. (Monte, Sam Beckwith)
- implemented access to request variables via auto-assigned $smarty - implemented access to request variables via auto-assigned $smarty

25
Smarty.class.php
View File

@@ -568,7 +568,8 @@ class Smarty
// buffering - for speed // buffering - for speed
if ($display && !$this->caching) { if ($display && !$this->caching) {
echo $info_header; echo $info_header;
$this->_process_template($tpl_file, $compile_path); if($this->_process_template($tpl_file, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n";
} }
@@ -576,10 +577,12 @@ class Smarty
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n";
} }
}
} else { } else {
ob_start(); ob_start();
echo $info_header; echo $info_header;
$this->_process_template($tpl_file, $compile_path); if($this->_process_template($tpl_file, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n";
} }
@@ -587,6 +590,7 @@ class Smarty
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n";
} }
}
$results = ob_get_contents(); $results = ob_get_contents();
ob_end_clean(); ob_end_clean();
} }
@@ -660,7 +664,8 @@ class Smarty
function _generate_debug_output() { function _generate_debug_output() {
ob_start(); ob_start();
$this->_process_template($this->debug_tpl, $compile_path); if($this->_process_template($this->debug_tpl, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$this->debug_tpl." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$this->debug_tpl." -->\n";
} }
@@ -668,6 +673,7 @@ function _generate_debug_output() {
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$this->debug_tpl." -->\n"; echo "\n<!-- SMARTY_END: ".$this->debug_tpl." -->\n";
} }
}
$results = ob_get_contents(); $results = ob_get_contents();
ob_end_clean(); ob_end_clean();
return $results; return $results;
@@ -689,7 +695,9 @@ function _generate_debug_output() {
return true; return true;
} else { } else {
// get template source and timestamp // get template source and timestamp
$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp); if(!$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp)) {
return false;
}
if ($template_timestamp <= $this->_fetch_compiled_template_timestamp($compile_path)) { if ($template_timestamp <= $this->_fetch_compiled_template_timestamp($compile_path)) {
// template not expired, no recompile // template not expired, no recompile
return true; return true;
@@ -702,7 +710,9 @@ function _generate_debug_output() {
} }
} else { } else {
// compiled template does not exist, or forced compile // compiled template does not exist, or forced compile
$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp); if(!$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp)) {
return false;
}
$this->_compile_template($tpl_file, $template_source, $template_compiled); $this->_compile_template($tpl_file, $template_source, $template_compiled);
$this->_write_compiled_template($compile_path, $template_compiled); $this->_write_compiled_template($compile_path, $template_compiled);
return true; return true;
@@ -869,8 +879,8 @@ function _generate_debug_output() {
array_unshift($this->_config, $this->_config[0]); array_unshift($this->_config, $this->_config[0]);
$this->_process_template($_smarty_include_tpl_file, $compile_path); if($this->_process_template($_smarty_include_tpl_file, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$_smarty_include_tpl_file." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$_smarty_include_tpl_file." -->\n";
} }
@@ -880,6 +890,7 @@ function _generate_debug_output() {
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$_smarty_include_tpl_file." -->\n"; echo "\n<!-- SMARTY_END: ".$_smarty_include_tpl_file." -->\n";
} }
}
array_shift($this->_config); array_shift($this->_config);
$this->_inclusion_depth--; $this->_inclusion_depth--;

46
docs.sgml
View File

@@ -650,7 +650,7 @@ $smarty->assign(array("city" => "Lincoln","state" => "Nebraska"));
console</link>, and should probably never be used directly. console</link>, and should probably never be used directly.
</para> </para>
<example> <example>
<title>assign</title> <title>assign_debug_info</title>
<programlisting> <programlisting>
// passing name/value pairs // passing name/value pairs
@@ -876,7 +876,7 @@ function print_current_date ($params) {
// we don't want template designers to have access to system files // we don't want template designers to have access to system files
$smarty->unregister_modifier("fetch"); $smarty->unregister_function("fetch");
</programlisting> </programlisting>
</example> </example>
@@ -2443,8 +2443,7 @@ e-mail: jane@mydomain.com&lt;p&gt;
These are indicated by percent signs around the variable name, like so: These are indicated by percent signs around the variable name, like so:
%sectionname.varname% %sectionname.varname%
</para> </para>
</sect2> <sect3>
<sect2>
<title>index</title> <title>index</title>
<para> <para>
index is used to display the current loop index, starting with zero index is used to display the current loop index, starting with zero
@@ -2472,8 +2471,8 @@ OUTPUT:
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>index_prev</title> <title>index_prev</title>
<para> <para>
index_prev is used to display the previous loop index. index_prev is used to display the previous loop index.
@@ -2502,8 +2501,8 @@ OUTPUT:
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>index_next</title> <title>index_next</title>
<para> <para>
index_next is used to display the next loop index. On the last index_next is used to display the next loop index. On the last
@@ -2533,8 +2532,8 @@ OUTPUT:
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>iteration</title> <title>iteration</title>
<para> <para>
iteration is used to display the current loop iteration. iteration is used to display the current loop iteration.
@@ -2573,8 +2572,8 @@ current loop iteration: 3
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>first</title> <title>first</title>
<para> <para>
first is set to true if the current section iteration is the first first is set to true if the current section iteration is the first
@@ -2607,8 +2606,8 @@ OUTPUT:
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>last</title> <title>last</title>
<para> <para>
last is set to true if the current section iteration is the last last is set to true if the current section iteration is the last
@@ -2641,8 +2640,8 @@ OUTPUT:
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>rownum</title> <title>rownum</title>
<para> <para>
rownum is used to display the current loop iteration, rownum is used to display the current loop iteration,
@@ -2664,8 +2663,8 @@ OUTPUT:
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>loop</title> <title>loop</title>
<para> <para>
loop is used to display the last index number that this section loop is used to display the last index number that this section
@@ -2690,8 +2689,8 @@ There were 3 customers shown above.
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>show</title> <title>show</title>
<para> <para>
<emphasis>show</emphasis> is used as a parameter to section. <emphasis>show</emphasis> is used as a parameter to section.
@@ -2725,8 +2724,8 @@ the section was shown.
</programlisting> </programlisting>
</example> </example>
</sect2> </sect3>
<sect2> <sect3>
<title>total</title> <title>total</title>
<para> <para>
total is used to display the number of iterations that this section total is used to display the number of iterations that this section
@@ -2754,6 +2753,7 @@ There were 3 customers shown above.
</programlisting> </programlisting>
</example> </example>
</sect3>
</sect2> </sect2>
<sect2> <sect2>
<title>strip</title> <title>strip</title>
@@ -3400,7 +3400,7 @@ OUTPUT:
<title>html_select_time</title> <title>html_select_time</title>
<programlisting> <programlisting>
{html_select_time use_24_hours=false} {html_select_time use_24_hours=true}
OUTPUT: OUTPUT:

25
libs/Smarty.class.php
View File

@@ -568,7 +568,8 @@ class Smarty
// buffering - for speed // buffering - for speed
if ($display && !$this->caching) { if ($display && !$this->caching) {
echo $info_header; echo $info_header;
$this->_process_template($tpl_file, $compile_path); if($this->_process_template($tpl_file, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n";
} }
@@ -576,10 +577,12 @@ class Smarty
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n";
} }
}
} else { } else {
ob_start(); ob_start();
echo $info_header; echo $info_header;
$this->_process_template($tpl_file, $compile_path); if($this->_process_template($tpl_file, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$tpl_file." -->\n";
} }
@@ -587,6 +590,7 @@ class Smarty
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n"; echo "\n<!-- SMARTY_END: ".$tpl_file." -->\n";
} }
}
$results = ob_get_contents(); $results = ob_get_contents();
ob_end_clean(); ob_end_clean();
} }
@@ -660,7 +664,8 @@ class Smarty
function _generate_debug_output() { function _generate_debug_output() {
ob_start(); ob_start();
$this->_process_template($this->debug_tpl, $compile_path); if($this->_process_template($this->debug_tpl, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$this->debug_tpl." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$this->debug_tpl." -->\n";
} }
@@ -668,6 +673,7 @@ function _generate_debug_output() {
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$this->debug_tpl." -->\n"; echo "\n<!-- SMARTY_END: ".$this->debug_tpl." -->\n";
} }
}
$results = ob_get_contents(); $results = ob_get_contents();
ob_end_clean(); ob_end_clean();
return $results; return $results;
@@ -689,7 +695,9 @@ function _generate_debug_output() {
return true; return true;
} else { } else {
// get template source and timestamp // get template source and timestamp
$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp); if(!$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp)) {
return false;
}
if ($template_timestamp <= $this->_fetch_compiled_template_timestamp($compile_path)) { if ($template_timestamp <= $this->_fetch_compiled_template_timestamp($compile_path)) {
// template not expired, no recompile // template not expired, no recompile
return true; return true;
@@ -702,7 +710,9 @@ function _generate_debug_output() {
} }
} else { } else {
// compiled template does not exist, or forced compile // compiled template does not exist, or forced compile
$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp); if(!$this->_fetch_template_source($tpl_file, $template_source, $template_timestamp)) {
return false;
}
$this->_compile_template($tpl_file, $template_source, $template_compiled); $this->_compile_template($tpl_file, $template_source, $template_compiled);
$this->_write_compiled_template($compile_path, $template_compiled); $this->_write_compiled_template($compile_path, $template_compiled);
return true; return true;
@@ -869,8 +879,8 @@ function _generate_debug_output() {
array_unshift($this->_config, $this->_config[0]); array_unshift($this->_config, $this->_config[0]);
$this->_process_template($_smarty_include_tpl_file, $compile_path); if($this->_process_template($_smarty_include_tpl_file, $compile_path))
{
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_BEGIN: ".$_smarty_include_tpl_file." -->\n"; echo "\n<!-- SMARTY_BEGIN: ".$_smarty_include_tpl_file." -->\n";
} }
@@ -880,6 +890,7 @@ function _generate_debug_output() {
if ($this->show_info_include) { if ($this->show_info_include) {
echo "\n<!-- SMARTY_END: ".$_smarty_include_tpl_file." -->\n"; echo "\n<!-- SMARTY_END: ".$_smarty_include_tpl_file." -->\n";
} }
}
array_shift($this->_config); array_shift($this->_config);
$this->_inclusion_depth--; $this->_inclusion_depth--;