Hi,
Because of the wrong release today I had a Smarty 5.0.0-rc1 on a dev enviorment. So I start moving the smarty plugins code from 4 to 5. I noticed a new behavoir:
When registering the plugins trough registerPlugin (same as before) the output of functions are now escaped if smarty is started with setEscapeHtml(true).
As our pentesters love this setting (not), we want to leave it on. But the result of our template functions are now useless to us.
And yes we escape beforehand. But if something slips trough setEscapeHtml will save the day.
So how can we have the setEscapeHtml(true) so it will not escape functions. Or can we return in the function some var so it won't escape? (as we now only return a string)
Example:
{insertCSFR}
must insert: (smarty <5)
<input type="hidden" name="_CSRF_INDEX" value="wTPNGFfqOp9NxM4jJoy8OKmA" /> <input type="hidden" name="_CSRF_TOKEN" value="dtjnI82HmcjX-_tkIQlSKvF6bxlNyN99Qh-CQlG_AHg=" />
But now it renders to: (smarty 5)
<input type="hidden" name="_CSRF_INDEX" value="dXLFTSfGeAzDtkppYKxKLmOl" /> <input type="hidden" name="_CSRF_TOKEN" value="YXbZFOh30iXiIDdn7opFnVHDt0tNBNkA_pFR0P-t1kE=" />
and that is because it compiles to: (smarty 5)
<?php echo htmlspecialchars((string) $_smarty_tpl->getSmarty()->getFunctionHandler('insertcsfrtoken')->handle(array(), $_smarty_tpl), ENT_QUOTES, 'UTF-8');?>
instead of: (smarty < 5)
<?php echo call_user_func_array( $_smarty_tpl->smarty->registered_plugins[Smarty::PLUGIN_FUNCTION]['insertCSFRToken'][0], array( array(),$_smarty_tpl ) );?>
So how can we fix this?
Thanks,
Tim
Hi,
Because of the wrong release today I had a Smarty 5.0.0-rc1 on a dev enviorment. So I start moving the smarty plugins code from 4 to 5. I noticed a new behavoir:
When registering the plugins trough
registerPlugin(same as before) the output of functions are now escaped if smarty is started withsetEscapeHtml(true).As our pentesters love this setting (not), we want to leave it on. But the result of our template functions are now useless to us.
And yes we escape beforehand. But if something slips trough setEscapeHtml will save the day.
So how can we have the
setEscapeHtml(true)so it will not escape functions. Or can we return in the function some var so it won't escape? (as we now only return a string)Example:
{insertCSFR}must insert: (smarty <5)
<input type="hidden" name="_CSRF_INDEX" value="wTPNGFfqOp9NxM4jJoy8OKmA" /> <input type="hidden" name="_CSRF_TOKEN" value="dtjnI82HmcjX-_tkIQlSKvF6bxlNyN99Qh-CQlG_AHg=" />But now it renders to: (smarty 5)
<input type="hidden" name="_CSRF_INDEX" value="dXLFTSfGeAzDtkppYKxKLmOl" /> <input type="hidden" name="_CSRF_TOKEN" value="YXbZFOh30iXiIDdn7opFnVHDt0tNBNkA_pFR0P-t1kE=" />and that is because it compiles to: (smarty 5)
<?php echo htmlspecialchars((string) $_smarty_tpl->getSmarty()->getFunctionHandler('insertcsfrtoken')->handle(array(), $_smarty_tpl), ENT_QUOTES, 'UTF-8');?>instead of: (smarty < 5)
<?php echo call_user_func_array( $_smarty_tpl->smarty->registered_plugins[Smarty::PLUGIN_FUNCTION]['insertCSFRToken'][0], array( array(),$_smarty_tpl ) );?>So how can we fix this?
Thanks,
Tim