smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-07-29 15:37:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Dropped remaining references to removed PHP-support in Smarty 4 from docs, lexer and security class.

Browse Source
This commit is contained in:
Simon Wisselink
2022-09-27 12:21:01 +02:00
parent 1b556c7077
commit 254b5cabee
13 changed files with 8 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/programmers/advanced-features/advanced-features-security.md
View File

@ -8,22 +8,6 @@ security compromises through the template language.
The settings of the security policy are defined by properties of an
instance of the Smarty\_Security class. These are the possible settings:
- `$php_handling` determines how Smarty to handle PHP code embedded in
templates. Possible values are:
- Smarty::PHP\_PASSTHRU -\> echo PHP tags as they are
- Smarty::PHP\_QUOTE -\> escape tags as entities
- Smarty::PHP\_REMOVE -\> remove php tags
- Smarty::PHP\_ALLOW -\> execute php tags
The default value is Smarty::PHP\_PASSTHRU.
If security is enabled the [`$php_handling`](#variable.php.handling)
setting of the Smarty object is not checked for security.
- `$secure_dir` is an array of template directories that are
considered secure. [`$template_dir`](#variable.template.dir)
concidered secure implicitly. The default is an empty array.
@ -31,7 +15,7 @@ instance of the Smarty\_Security class. These are the possible settings:
- `$trusted_dir` is an array of all directories that are considered
trusted. Trusted directories are where you keep php scripts that are
executed directly from the templates with
[`{include_php}`](#language.function.include.php). The default is an
[`{insert}`](#language.function.insert.php). The default is an
empty array.
- `$trusted_uri` is an array of regular expressions matching URIs that
@ -110,12 +94,8 @@ instance of the Smarty\_Security class. These are the possible settings:
super globals can be accessed by the template. The default is
\"true\".
- `$allow_php_tag` is a boolean flag which controls if {php} and
{include\_php} tags can be used by the template. The default is
\"false\".
If security is enabled, no private methods, functions or properties of
static classes or assigned objects can be accessed (beginningwith
static classes or assigned objects can be accessed (beginning with
\'\_\') by the template.
To customize the security policy settings you can extend the
@ -128,8 +108,6 @@ Smarty\_Security class or create an instance of it.
class My_Security_Policy extends Smarty_Security {
// disable all PHP functions
public $php_functions = null;
// remove PHP tags
public $php_handling = Smarty::PHP_REMOVE;
// allow everthing as modifier
public $php_modifiers = array();
}
@ -145,8 +123,6 @@ Smarty\_Security class or create an instance of it.
$my_security_policy = new Smarty_Security($smarty);
// disable all PHP functions
$my_security_policy->php_functions = null;
// remove PHP tags
$my_security_policy->php_handling = Smarty::PHP_REMOVE;
// allow everthing as modifier
$my_security_policy->php_modifiers = array();
// enable security