|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
carlitto Smarty n00b
Joined: 10 Oct 2019 Posts: 3
|
Posted: Thu Oct 10, 2019 6:45 am Post subject: Direct access to php define variables |
|
|
Hi,
I upgraded from Smarty 3.1.21 to 3.1.33
Apparently, if you have a php variable defined as follows :
define("myvar", "My var value");
It can be accessed in the template as {myvar}
Can we stop this behavior ? Is this standard smarty or something else is happening in the background ?
In our app we have a variable defined called "assign" which breaks the template code when the assign tag is used.
Thanks ! |
|
Back to top |
|
bsmither Smarty Elite
Joined: 20 Dec 2011 Posts: 322 Location: West Coast
|
Posted: Thu Oct 10, 2019 6:08 pm Post subject: |
|
|
I have replicated this.
I first investigated using namespaces but that seems to be far too involved to solve.
I then used the shortcut:
Code: | {$varName = expression} | which seemed to work. |
|
Back to top |
|
carlitto Smarty n00b
Joined: 10 Oct 2019 Posts: 3
|
Posted: Thu Oct 10, 2019 6:57 pm Post subject: |
|
|
The shorthand for assign works indeed.
However, all other tags are evaluating to php constants (custom blocks, functions etc..)
Is there a setting to stop evaluating php constants this way? |
|
Back to top |
|
bsmither Smarty Elite
Joined: 20 Dec 2011 Posts: 322 Location: West Coast
|
Posted: Thu Oct 10, 2019 8:36 pm Post subject: |
|
|
Just curious: Are you saying you have quite a few PHP constants using names of Smarty keywords?
If so, then the solution is to convince Smarty to not "see" these keywords as possible constants. Note: this is not the same as disallowing access to these constants.
That is, we can disallow access to constants. See:
https://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security
especially the allow_constants property, and see:
https://github.com/smarty-php/smarty/blob/master/NEW_FEATURES.txt
especially the trusted_constants parameter (line 260).
But, disallowing access to the constants still causes Smarty to throw an Exception announcing access has been denied -- the keyword not being 'bypassed' or 'ignored' as a constant but parsed as being a Smarty function.
So, no answer as yet. |
|
Back to top |
|
carlitto Smarty n00b
Joined: 10 Oct 2019 Posts: 3
|
Posted: Fri Oct 11, 2019 4:47 am Post subject: |
|
|
Quote: | Just curious: Are you saying you have quite a few PHP constants using names of Smarty keywords?
|
For some reason, yes those constants are present and they do break with smarty. This only happens starting with v3.1.23
I've seen this part of the doc and they specifically indicate that the constants can be accessed using Code: | $smarty.const.variable | but not directly.
I think there should be a way to not directly "see" these keywords as constants since anyone can break smarty by defining a php variable having the same smarty tag name (and the generated exception doesn't say much, it was hard to find). How can we convince smarty ? Shall I post this on github? |
|
Back to top |
|
bsmither Smarty Elite
Joined: 20 Dec 2011 Posts: 322 Location: West Coast
|
Posted: Fri Oct 11, 2019 7:01 am Post subject: |
|
|
It wouldn't hurt to post an issue in the Github. |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|