Simon Wisselink 11e69eca68 Security: escape value-context attributes in html_image/html_select_date (CWE-79)
{html_image} already escaped alt and pass-through attributes, but emitted
file, path_prefix, href/link, width and height raw, letting an untrusted
value break out of the generated tag. Escape these at output time; the
unescaped values are still used for getimagesize()/DPI math. Escaping uses
htmlspecialchars with double_encode=false, so existing entities and values
like "100%" are preserved (no BC break for legitimate values).

{html_select_date} treated day_size/month_size/year_size as strings and
emitted them raw into size="…"; cast them to int to match
{html_select_time} and close the breakout.

The remaining flagged parameters (mailto extra; html_table *_attr/
trailpad/caption/loop; html_radios/html_checkboxes separator;
html_select_* *_extra/field_separator and the unrecognised-attribute
pass-through) intentionally emit raw markup as documented, so escaping
them would break backwards compatibility. Add a security note to those
docs pages instead, telling authors to escape untrusted values themselves.

Adds tests for html_image escaping (incl. benign-value/no-double-encode
checks) and the html_select_date size cast.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 00:48:01 +02:00
2025-11-19 22:33:49 +01:00
2023-08-08 00:04:14 +02:00
2024-05-24 00:21:02 +02:00
2025-11-19 22:33:49 +01:00
2026-06-23 23:04:21 +02:00
2023-08-08 00:04:14 +02:00
2021-01-05 22:23:13 +01:00
2025-11-19 22:33:49 +01:00
2026-05-03 22:19:59 +02:00

Smarty template engine

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.

CI

Documentation

Read the documentation to find out how to use it.

Requirements

Smarty v5 can be run with PHP 7.2 to PHP 8.5.

Installation

Smarty versions 3.1.11 or later can be installed with Composer.

To get the latest stable version of Smarty use:

composer require smarty/smarty

More in the Getting Started section of the docs.

Sponsors

Smarty is sponsored by:

Thank you!

S
Description
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Readme 31 MiB
Languages
PHP 91.2%
Go Template 5.2%
Yacc 2.4%
Smarty 0.8%
Dockerfile 0.2%
Other 0.1%