smarty/docs/en/programmers/api-variables/variable-security.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision$ -->
     <sect1 id="variable.security">
      <title>$security</title>
      <para>
       <parameter>$security</parameter> can be &true; or &false;,
       defaults to &false;. Security is good for
       situations when you have untrusted parties editing the templates
       eg via ftp, and you want to reduce the risk of system
       security compromises through the template language. Turning on
       security enforces the following rules to the template language,
      unless specifially overridden with <link linkend="variable.security.settings">
      <parameter>$security_settings</parameter></link>:
      </para>
      <itemizedlist>
<listitem>
<para>If <link linkend="variable.php.handling"><parameter>$php_handling</parameter></link>
is set to <constant>SMARTY_PHP_ALLOW</constant>, this is
implicitly changed to <constant>SMARTY_PHP_PASSTHRU</constant>
</para></listitem>
<listitem>
<para>
PHP functions are not allowed in <link
linkend="language.function.if"><varname>{if}</varname></link> statements,
except those specified in the
<link linkend="variable.security.settings"><parameter>$security_settings</parameter></link>
</para></listitem>
<listitem><para>
Templates can only be included from directories
listed in the
<link linkend="variable.secure.dir"><parameter>$secure_dir</parameter></link> array
</para></listitem>
<listitem><para>
Local files can only be fetched from directories listed in the
<link linkend="variable.secure.dir"><parameter>$secure_dir</parameter></link>
array using <link linkend="language.function.fetch"><varname>{fetch}</varname></link>
</para></listitem>
<listitem><para>
<link linkend="language.function.php"><varname>{php}{/php}</varname></link> tags are not allowed
</para></listitem>
<listitem><para>
PHP functions are not allowed as modifiers, except those specified in the
<link linkend="variable.security.settings"><parameter>$security_settings</parameter></link>
</para></listitem>
      </itemizedlist>
</sect1>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->