Smarty

[sm@rty]

hi

my users saved own template and this compile by smarty engine.

i used enableSecurity() method.

it is safe ?

there(enableSecurity()) is enough ? not necessary another configuration ?



------------------------------------------------------------------------------------
translator helper: google translate

[U.Tews]

Security is good for situations when you have untrusted parties editing the templates eg via ftp, and you want to reduce the risk of system security compromises through the template language.

The default security rules are definined by the Smarty_Security class which is located in the sysplugins folder.
The default rules are activated when you call $smarty->enableSecurity();

See the examples at http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security for modifying the scurity rules for your needs.

For protection against external attackers it's most important that, if you use and allow the super globals $_GET and $_PUT, its content is check and sanitized before it may be used by the templates. Otherwise attackers might try to inject executable javascript code by passing it by URL parameter.

[sm@rty]

thank for reply.

yes . i used link http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security and this is very good.

more security for user limitation :

1. limitation in memory (for example user 'A' allowed 1M)
2. limitation in block if,foreach(limit loop) and etc ...
3. limitation in user define variable
4. better management of errors
5. and etc

these features is very important when we want Smarty available to people

but Smarty not support this features !

Does these features exist?

------------------------------------------------------------------------------------
translator helper: google translate