mirror of
https://github.com/smarty-php/smarty.git
synced 2026-07-04 23:41:02 +02:00
11e69eca688e8dbd230c7c0d38cefc27bf2114ba
{html_image} already escaped alt and pass-through attributes, but emitted
file, path_prefix, href/link, width and height raw, letting an untrusted
value break out of the generated tag. Escape these at output time; the
unescaped values are still used for getimagesize()/DPI math. Escaping uses
htmlspecialchars with double_encode=false, so existing entities and values
like "100%" are preserved (no BC break for legitimate values).
{html_select_date} treated day_size/month_size/year_size as strings and
emitted them raw into size="…"; cast them to int to match
{html_select_time} and close the breakout.
The remaining flagged parameters (mailto extra; html_table *_attr/
trailpad/caption/loop; html_radios/html_checkboxes separator;
html_select_* *_extra/field_separator and the unrecognised-attribute
pass-through) intentionally emit raw markup as documented, so escaping
them would break backwards compatibility. Add a security note to those
docs pages instead, telling authors to escape untrusted values themselves.
Adds tests for html_image escaping (incl. benign-value/no-double-encode
checks) and the html_select_date size cast.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Smarty template engine
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Documentation
Read the documentation to find out how to use it.
Requirements
Smarty v5 can be run with PHP 7.2 to PHP 8.5.
Installation
Smarty versions 3.1.11 or later can be installed with Composer.
To get the latest stable version of Smarty use:
composer require smarty/smarty
More in the Getting Started section of the docs.
Sponsors
Smarty is sponsored by:
- Marc Laporte @marclaporte
- Temma, the MVC framework based on Smarty
Thank you!
Languages
PHP
91.2%
Go Template
5.2%
Yacc
2.4%
Smarty
0.8%
Dockerfile
0.2%
Other
0.1%