90 Commits

Author SHA1 Message Date
Simon Wisselink 1830aa7a12 version bump 2026-06-29 00:15:07 +02:00
Simon Wisselink ac27e1e5b6 fixed a regression from #1189 where a child template's block override no longer applied to a template {include}d by the parent
Fixes #1192
2026-06-29 00:12:45 +02:00
Simon Wisselink 75a738ad44 version bump 2026-06-24 10:04:39 +02:00
Simon Wisselink 11e69eca68 Security: escape value-context attributes in html_image/html_select_date (CWE-79)
{html_image} already escaped alt and pass-through attributes, but emitted
file, path_prefix, href/link, width and height raw, letting an untrusted
value break out of the generated tag. Escape these at output time; the
unescaped values are still used for getimagesize()/DPI math. Escaping uses
htmlspecialchars with double_encode=false, so existing entities and values
like "100%" are preserved (no BC break for legitimate values).

{html_select_date} treated day_size/month_size/year_size as strings and
emitted them raw into size="…"; cast them to int to match
{html_select_time} and close the breakout.

The remaining flagged parameters (mailto extra; html_table *_attr/
trailpad/caption/loop; html_radios/html_checkboxes separator;
html_select_* *_extra/field_separator and the unrecognised-attribute
pass-through) intentionally emit raw markup as documented, so escaping
them would break backwards compatibility. Add a security note to those
docs pages instead, telling authors to escape untrusted values themselves.

Adds tests for html_image escaping (incl. benign-value/no-double-encode
checks) and the html_select_date size cast.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:48:01 +02:00
Simon Wisselink 31e06fc087 Security: stop {fetch} from following redirects past trusted_uri (CWE-918)
{fetch} validates the requested URL with Security::isTrustedUri(), but
for non-http schemes (e.g. https) it reads the resource via
file_get_contents(), which follows redirects by default. An open redirect
on an otherwise trusted host could therefore be used to reach a
non-trusted, internal target, bypassing the trusted_uri policy (SSRF).

When a security policy is active, pass a stream context that disables
redirect-following (follow_location => 0, max_redirects => 1) to
file_get_contents() for remote resources. Behavior is unchanged when no
security policy is set, since there is no trusted_uri to bypass.

Adds a regression test using a custom stream wrapper that captures the
context {fetch} passes to file_get_contents, plus a backwards-compat test
for the no-security-policy case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:21:12 +02:00
Simon Wisselink 99c048ce7a Security: prevent symlink path traversal out of secure_dir (CWE-22)
Security::_checkDir() validated file access using Smarty::_realpath(),
which only normalizes paths as strings and never follows symlinks. A
symlink placed inside a trusted secure_dir/template directory therefore
passed the trust check while file_get_contents() followed it to an
arbitrary file (e.g. /etc/passwd), affecting {include} and {fetch} of
local files.

Resolve the requested file with native realpath() and re-validate the
canonical, symlink-free path against the trusted directories. The trusted
directories are canonicalized the same way so legitimate symlinked
deployment paths (e.g. a Capistrano "current" release symlink, or macOS'
/var -> /private/var) keep working. Falls back to string normalization
only when the file does not yet exist on disk.

Adds regression tests covering both the rejected escape and an allowed
in-sandbox symlink, and documents the changelog convention in AGENTS.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:15:19 +02:00
Antonio Norman 1c9b2ce1d3 fix for Error: Attempt to assign property "step" on null closes issue #1036 (#1071)
* fix for Error: Attempt to assign property "step" on null in extended templates + added tests closes issue #1036
2026-06-23 23:50:43 +02:00
Simon Wisselink 6d06c5e61f version bump 2026-06-23 23:04:21 +02:00
Simon Wisselink 56ab75df2c Bugfix/issue 1189 inheritance state leak (#1190)
* Reproduce block override leakage in template inheritance
* Fixes #1189
2026-06-23 22:50:39 +02:00
Masatoshi Ogiwara 383e20e6b4 fix: return type (#1180) 2026-05-16 00:34:29 +02:00
Simon Wisselink 4ed569c674 version bump 2026-02-15 15:27:13 +01:00
Simon Wisselink 5487e31c4b Add support for Backed Enums (#1171)
* Add support for Backed Enums
Fixes #1012

Also added docs (and docs for matches operator)
2026-02-15 15:23:55 +01:00
Simon Wisselink 12ce28e265 Regex matches operator (#1169)
* Regex matches operator support
2026-02-15 14:44:48 +01:00
Simon Wisselink 139797a165 Support for Laravel Collections style object chaining (#1168)
* Support for Laravel Collections style object chaining for objects return from function calls implemented as modifiers
Fixes #1151

* explain publishing docs
2026-02-11 00:02:52 +01:00
hirosan 6709d000cd Fix static analysis warnings for isDot() and remove deprecated APC support (#1164)
* Fix static analysis warnings for isDot()
* Remove deprecated APC support
* Remove redundant isDot() check and fix static analysis warnings
2026-01-08 11:21:57 +01:00
Simon Wisselink c0d7a36124 version bump 2025-11-19 22:36:36 +01:00
Wim Wisselink 21d7fbb67e Non-canonical cast (boolean) fix (#1145) 2025-10-17 14:45:38 +02:00
Simon Wisselink fe325daec0 version bump 2025-10-03 23:22:23 +02:00
pharixces b390e50974 Add support for shorttags in functions (#1142)
* Add support for shorttags in functions

Co-authored-by: Anne Zijlstra <a.zijlstra@iwink.nl>
Co-authored-by: Simon Wisselink <s.wisselink@iwink.nl>
2025-10-03 23:17:55 +02:00
Simon Wisselink 4d793ee04c version bump 2025-08-26 10:38:05 +02:00
Simon Wisselink 7677b84058 Fixed escaping of array/object keys in debug_print_var 2025-08-26 10:32:02 +02:00
Simon Wisselink 46cd224efb version bump 2025-05-19 11:29:40 +02:00
pharixces 693502c341 Bugfix/bcpluginsadapter support modifiercompiler (#1132)
* Add support for modifiercompiler in the BCPluginsAdapter class.

---------

Co-authored-by: Anne Zijlstra <a.zijlstra@iwink.nl>
2025-05-19 11:28:10 +02:00
Simon Wisselink f659193c94 version bump 2025-05-03 23:36:44 +02:00
hirosan 4ff25bbe59 Support trailing comma in array (#1128) 2025-05-03 23:34:15 +02:00
Simon Wisselink 6ad6a35824 version bump 2025-04-15 13:20:06 +02:00
gherosh 37bea77ea7 Update StringEval.php (#1126)
Fix: Implicitly marking parameter $_template as nullable is deprecated, the explicit nullable type must be used instead
2025-04-15 13:19:00 +02:00
Simon Wisselink 5401418258 version bump 2025-04-13 22:12:08 +02:00
Simon Wisselink a5bbba3f05 Fix syntax error occurring when registering a function plugin that ends with the string 'close' (#1124)
Fixes #1122
2025-04-10 23:47:44 +02:00
Simon Wisselink 5d1ea5806a change SMARTY_VERSION to $smarty.version.
Fixes #1073
2024-12-28 17:40:25 +01:00
Simon Wisselink 07faafe4da version bump 2024-12-23 01:38:41 +01:00
Simon Wisselink cf9de567c1 Restore special handling of isset and empty as it was in v4. Fixes #1063 (#1093)
* Restore special handling of isset and empty as it was in v4. Fixes #1063
2024-12-23 01:29:07 +01:00
Simon Wisselink f47ac761af replace/qualify call_user_func_array. (#1083)
Fixes #1074
2024-11-20 23:05:14 +01:00
Simon Wisselink 3bba3ff5e9 version bump 2024-11-20 22:18:13 +01:00
Wim Wisselink 1b06b37db2 Add PHP 8.4 support to Smarty (#1043) 2024-11-20 15:59:26 +01:00
Simon Wisselink 70ed68ff5b version bump 2024-08-30 01:10:42 +02:00
Atsushi Matsuo 30c6ee64ab Fix an issue that preventing the use of "extends:" to define the inheritance tree on Windows (#1056) 2024-08-28 23:09:34 +02:00
Simon Wisselink 77b91a072b version bump 2024-08-14 22:00:42 +02:00
Stephan Lueckl 1ccfca17d6 Fixing forced OpCache invalidation on every template include, which is resulting in fast raising wasted OpCache memory #1007 (#1047)
* Fixing forced OpCache Invalidation on every call, which is resulting in fast raising wasted memory
* Fix undefined $path variable warning
---------

Co-authored-by: Daniel Metzner <daniel.metzner@niceshops.com>
2024-08-14 21:58:51 +02:00
Shad d6153d4d4d add missing closing tr tag (#1039) 2024-07-01 16:38:18 +02:00
Amaury Bouchard 2289fa69f1 Improvement of auto-escaping (#1030)
* Evolution of auto-escaping: no double-escaping when using the 'escape' modifier; add the 'force' mode to the 'escape' modifier; add the 'raw' modifier.
* Add 'raw' modifier's documentation
---------

Co-authored-by: Simon Wisselink <s.wisselink@iwink.nl>
2024-06-30 13:25:30 +02:00
Simon Wisselink a2193eb4cf version bump 2024-06-16 21:51:11 +02:00
Simon Wisselink 8ecde47203 fixed error when using section with nocache.
Fixes #1034
2024-06-16 21:48:14 +02:00
Simon Wisselink 20c08ac40d version bump 2024-05-30 13:14:54 +02:00
Simon Wisselink 4aa1273a80 Merge branch 'support/5' 2024-05-30 13:11:33 +02:00
Simon Wisselink 2a87c65994 implemented and documented prependTemplateDir. (#1025) 2024-05-29 15:32:47 +02:00
Simon Wisselink 06d6a5efd9 version bump 2024-05-28 23:45:14 +02:00
Simon Wisselink 0be92bc8a6 Merge pull request from GHSA-4rmg-292m-wg3w 2024-05-28 22:44:30 +02:00
Simon Wisselink 3293a873bd Remove unused attributes from config_load (#1004)
fixes #993
2024-04-29 10:01:40 +02:00
Simon Wisselink 47c4864dd1 version bump 2024-04-23 00:22:13 +02:00