|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Wed Oct 01, 2014 7:32 am Post subject: security in smarty |
|
|
hi
my users saved own template and this compile by smarty engine.
i used enableSecurity() method.
it is safe ?
there(enableSecurity()) is enough ? not necessary another configuration ?
------------------------------------------------------------------------------------
translator helper: google translate |
|
Back to top |
|
U.Tews Administrator
Joined: 22 Nov 2006 Posts: 5068 Location: Hamburg / Germany
|
Posted: Wed Oct 01, 2014 5:05 pm Post subject: |
|
|
Security is good for situations when you have untrusted parties editing the templates eg via ftp, and you want to reduce the risk of system security compromises through the template language.
The default security rules are definined by the Smarty_Security class which is located in the sysplugins folder.
The default rules are activated when you call $smarty->enableSecurity();
See the examples at http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security for modifying the scurity rules for your needs.
For protection against external attackers it's most important that, if you use and allow the super globals $_GET and $_PUT, its content is check and sanitized before it may be used by the templates. Otherwise attackers might try to inject executable javascript code by passing it by URL parameter. |
|
Back to top |
|
sm@rty Smarty Regular
Joined: 01 Oct 2014 Posts: 65
|
Posted: Wed Oct 01, 2014 10:29 pm Post subject: |
|
|
thank for reply.
yes . i used link http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security and this is very good.
more security for user limitation :
1. limitation in memory (for example user 'A' allowed 1M)
2. limitation in block if,foreach(limit loop) and etc ...
3. limitation in user define variable
4. better management of errors
5. and etc
these features is very important when we want Smarty available to people
but Smarty not support this features !
Does these features exist?
------------------------------------------------------------------------------------
translator helper: google translate |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|