smarty icon indicating copy to clipboard operation
smarty copied to clipboard

Published 20 hours ago verified publisher icon smarty-php

Direct access to php constants breaking smarty

Open grapestech opened this issue 5 years ago • 4 comments

Hi,

We upgraded from Smarty 3.1.21 to 3.1.33

Apparently, if you have a php variable defined as follows :

define("myvar", "My var value");

It can be accessed in the template as {myvar}

Can we stop this behavior ?

In our app we have a php constant defined named "assign" which breaks the smarty template when the assign tag is used.

There should be a way to not directly "see" these keywords as constants since anyone can break smarty by defining a php variable having the same smarty tag name. And btw the generated exception doesn't say much, it was hard to find.

Thanks !

grapestech avatar Oct 11 '19 04:10 grapestech

A similar issue with inline constant support regarding array access ( #149) was fixed some years ago. In your case you can hack around this issue similarly by editing the file sysplugins/smarty_internal_templateparser.php. In function yy_r13() (line 2257) change

if (defined($tag)) {

to

if (0) {

Then the tagnames don't get replaced by defined values. This does the trick only for tagnames and is a hack only, of course. It should be changed in the template lexer, from which the file is generated. Cleanest solution would be to introduce a variable like $Smarty->useInlineConstants and adjust the lexer accordingly. So one could turn off inline constant support alltogether ($smarty.const.foo syntax would still work).

artcs avatar Oct 11 '19 12:10 artcs

Thanks for your reply.

Indeed this should be controlled via a setting specially that we're using smarty with composer so it doesn't make sense to hack a specific file in the smarty lib. Would appreciate adding this fix to the upcoming release.

grapestech avatar Oct 11 '19 21:10 grapestech

I also noticed a different parser behaviour for constants with PHP 7.3 early this year, see #534 . But I would think your usage of defining PHP variables via CONSTANT define() instead of VARIABLE assign() is just wrong, as far as I got you right. And taking the keyword assign as "constant" is bad too since that is build/prone to produce errors/false behaviours. You should keep things clear out of way, so that PHP evolution changes (like for constants) don't do that bad.

ophian avatar Oct 12 '19 07:10 ophian

anyone can break smarty by defining a php variable having the same smarty tag name

That's simply untrue. Please don't spread misinformation. Not to mention, this has nothing to do with PHP variables.

AnrDaemon avatar Feb 21 '20 16:02 AnrDaemon