{html_image} already escaped alt and pass-through attributes, but emitted
file, path_prefix, href/link, width and height raw, letting an untrusted
value break out of the generated tag. Escape these at output time; the
unescaped values are still used for getimagesize()/DPI math. Escaping uses
htmlspecialchars with double_encode=false, so existing entities and values
like "100%" are preserved (no BC break for legitimate values).
{html_select_date} treated day_size/month_size/year_size as strings and
emitted them raw into size="…"; cast them to int to match
{html_select_time} and close the breakout.
The remaining flagged parameters (mailto extra; html_table *_attr/
trailpad/caption/loop; html_radios/html_checkboxes separator;
html_select_* *_extra/field_separator and the unrecognised-attribute
pass-through) intentionally emit raw markup as documented, so escaping
them would break backwards compatibility. Add a security note to those
docs pages instead, telling authors to escape untrusted values themselves.
Adds tests for html_image escaping (incl. benign-value/no-double-encode
checks) and the html_select_date size cast.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
{fetch} validates the requested URL with Security::isTrustedUri(), but
for non-http schemes (e.g. https) it reads the resource via
file_get_contents(), which follows redirects by default. An open redirect
on an otherwise trusted host could therefore be used to reach a
non-trusted, internal target, bypassing the trusted_uri policy (SSRF).
When a security policy is active, pass a stream context that disables
redirect-following (follow_location => 0, max_redirects => 1) to
file_get_contents() for remote resources. Behavior is unchanged when no
security policy is set, since there is no trusted_uri to bypass.
Adds a regression test using a custom stream wrapper that captures the
context {fetch} passes to file_get_contents, plus a backwards-compat test
for the no-security-policy case.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Security::_checkDir() validated file access using Smarty::_realpath(),
which only normalizes paths as strings and never follows symlinks. A
symlink placed inside a trusted secure_dir/template directory therefore
passed the trust check while file_get_contents() followed it to an
arbitrary file (e.g. /etc/passwd), affecting {include} and {fetch} of
local files.
Resolve the requested file with native realpath() and re-validate the
canonical, symlink-free path against the trusted directories. The trusted
directories are canonicalized the same way so legitimate symlinked
deployment paths (e.g. a Capistrano "current" release symlink, or macOS'
/var -> /private/var) keep working. Falls back to string normalization
only when the file does not yet exist on disk.
Adds regression tests covering both the rejected escape and an allowed
in-sandbox symlink, and documents the changelog convention in AGENTS.md.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Redirect test temp dirs to system temp directory. Fixes#1178
Move all test-generated output (compiled templates, cache files, and
temporary template sources) from per-test-directory folders inside the
working tree to a parallel structure under sys_get_temp_dir()/smarty-tests/.
This removes 215 boilerplate .gitignore files from the repo and ensures
running the test suite leaves zero uncommitted files in the working tree.
All 2296 tests continue to pass with identical behavior.
* Isolate each test class in a unique temp directory
getTempDir() now appends a per-class uniqid token to the temp path, so
concurrent or sequential test runs never share compiled/cached output.
The token is generated lazily on first use and reset in
tearDownAfterClass(), giving every test class a fresh isolated directory.
As a result, the Bootstrap.php pre-run cleanup of smarty-tests/ is no
longer needed for correctness (stale paths are unreachable) and was
harmful to concurrent runs, so it has been removed.
* Remove individualFolders dead code and spurious assertTrue from cleanDirs()
- Remove the never-active individualFolders code path from setUpSmarty()
(the constant was always true, making the branch unreachable)
- Remove define('individualFolders') from Config.php and the constructor
- Remove $this->assertTrue(true) from cleanDirs(): it existed solely to
make testInit() count as a passing test; now that cleanDirs() is called
from setUpSmarty() and from test methods directly, the assertion was
spuriously inflating assertion counts
- Add tests/**/templates_c/, cache/, templates_tmp/ to .gitignore to
prevent stale test output from appearing as untracked files
* Clean up each test class's unique temp dir in tearDownAfterClass()
Add a private static removeDir() helper and call it from
tearDownAfterClass() to recursively delete the per-class unique temp
directory after each test class finishes. Cleanup failures are silently
ignored (@ suppression) so they never cause test failures.
Set KEEP_SMARTY_TEST_ARTIFACTS=1 in the environment to skip cleanup and
keep the artifacts on disk for debugging.
* cleanup of unused template files, non-shared files stored in __shared folder, no longer required calls to add template folders et cetera
* fixed the unit tests
* Apply suggestions from code review
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* remove useless resetting of static properties in tearDownAfterClass
* changed an incorrect doc and formatted some code.
* add changelog
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Support for Laravel Collections style object chaining for objects return from function calls implemented as modifiers
Fixes#1151
* explain publishing docs