Package: smarty Version: 2.6.18-1 Severity: important I wanted to make my smarty templates secure by default, but smarty seems to prevent me from doing so.
I'm doing this:
$smarty->default_modifiers = array("escape:'htmlall'");
$smarty->assign('paras',
array(
array('heading'=>'head 1','text'=>'text 1'),
array('heading'=>'head 2','text'=>'text 2')
)
);
And putting this in the template:
{foreach from=$paras item="para" key="para_id"}
<h1>{$para.heading}</h1>
{$para.text}
{/foreach}
And I get this twice:
Warning: htmlentities() expects parameter 1 to be string, array given
in /usr/share/php/smarty/libs/plugins/modifier.escape.php on line 29
Modifying modifier.escape.php indicates that smarty is passing the value
of $para to the default modifier functions instead of passing the values
of $para['heading'] and para['text'] to the default modifier functions.
If I turn off default_modifiers and manually add escapes to each
variable, everything is fine.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.23-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages smarty depends on:
ii php5 5.2.4-2 server-side, HTML-embedded scripti
ii php5-cgi 5.2.4-2+b1 server-side, HTML-embedded scripti
ii php5-cli 5.2.4-2+b1 command-line interpreter for the p
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
