 |
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
| View previous topic :: View next topic |
| Author |
Message |
mniskanen
Smarty Rookie
Joined: 26 Apr 2003
Posts: 20
Location: Lieksa,Finland
|
 Posted: Tue Feb 16, 2010 7:02 pm Post subject: [solved] html_select_date and quotes problem |
 |
|
Hello,
Maybe I am just too tired to figure out what the problem is. Running version 2.6.20 and having this problem in one server (shortened a bit):
| Code: | {html_select_date
prefix="birth"
field_order="DMY"
day_extra="class='select_day' id='birthday'"
month_extra="class='select_month'"
year_extra="class='select_year'"
} |
Now it works perfectly in my original server but the compiler in the new server produces this:
| Code: | <?php echo smarty_function_html_select_date ... removed
'class='select_month'','year_extra' => 'class='select_year'' ... ?> |
replacing double quotes with single ones which breaks the PHP compiler. What is the setting I am missing here?
Seven+ years of Smarty and still a dumbhead at times.
Markku
Last edited by mniskanen on Wed Feb 17, 2010 9:27 am; edited 1 time in total |
|
| Back to top |
|
U.Tews
Administrator
Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany
|
| Posted: Tue Feb 16, 2010 8:52 pm Post subject: |
|
|
Strange that the servers don't produce same result.
Did you try to swap single and double quotes like
day_extra='class="select_day" id="birthday"' |
|
| Back to top |
|
mniskanen
Smarty Rookie
Joined: 26 Apr 2003
Posts: 20
Location: Lieksa,Finland
|
| Posted: Tue Feb 16, 2010 9:42 pm Post subject: |
|
|
Found it. I assumed that the version was the same, reading only the headers. However, there was an "improvement" against injection handling in the Smarty_Compiler. class.php that simply broke the whole thing:
| Code: | // replace double quoted literal string with single quotes
// The follwoing line has been replaced to close a function injection security hole (U.Tews)
// $_return = preg_replace('~^"([\s\w]+)"$~',"'\\1'",$_return);
$_return = str_replace('"',"'",$_return);
// escape dollar sign if not printing a var
$_return = preg_replace('~\$(\W)~',"\\\\\$\\1",$_return);
return $_return;
|
I had no time to refix the possible security hole, I reverted back to the original one. Please, please change the build number when doing something like this! Both of the files had this version info:
| Code: | | /* $Id: Smarty_Compiler.class.php 2773 2008-08-12 18:17:51Z Uwe.Tews $ */ |
and only diff'ing them revealed the difference. It is obvious that this change breaks the compilation in my example.
Markku |
|
| Back to top |
|
mniskanen
Smarty Rookie
Joined: 26 Apr 2003
Posts: 20
Location: Lieksa,Finland
|
| Posted: Wed Feb 17, 2010 9:35 am Post subject: |
|
|
| U.Tews wrote: |
Did you try to swap single and double quotes like
day_extra='class="select_day" id="birthday"' |
Forgot to comment on that one: As you understand all double quotes were gone from the compiled due to the code changes in the compiler class. If there are other similar instances of variable handling it will surely break them, too.
As for security the it should always first and foremost reside at the MC part of MVC and in the V part only when necessary. Precautions like properly filtering input from the browser and making sure that the data in the database is sane are much more effective. |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
