Smarty Updates

[jce76350]

On 08/08/2023 version v5.0.0-rc1 was released as an RC version
The future version 5.0.0 will be released soon. A planned evolution for our cms?
At the moment CMSms 2.2.28 is still in Smarty 4.2.1 (14 Sep 2022) while the latest Smarty version is 4.3.4 (14 Sep 2023)?

[tomphantoo]

FYI
Among other changes, Smarty 4.3 deprecates use of PHP functions (built-in or application-defined) as modifiers in templates e.g. {$somestring|md5} even when such is permitted by the Smarty security-policy settings.
One response to that might have been to replace such modifiers with function-calls e.g. {md5($somestring)}, again, if such method is permitted by the security-policy settings.
Another response could be a registered generic modifier-plugin e.g. {$somestring|adjust:'md5'}

Along comes Smarty 5, the current early version of which omits all support for using PHP functions either directly or as a modifier. Unless it's a permitted static method in a class e.g. {class::method($somevar)}

It will probably be possible to individually register each relevant function as a Smarty plugin (up goes the memory usage), but there's no evident way to bulk-enable them.

Might be wise for module-devs etc to think about and prepare for deploying workarounds, in templates and the variables provided to templates.

Or else, some other security mechanism might be substituted for use of Smarty security-policy. If so, need a while to implement and almost certainly going to also need workarounds.

Or else, a massive campaign by users convinces Smarty devs to change the approach.

Or else, CMSMS doesn't go to Smarty 5.

[creopard]

An important and interesting topic!

Could examples like {$somestring|md5} or {md5($somestring)} get migitated with CMSMS's "user defined tags"?

[Jo Morg]

Too much ado about nothing, in my opinion. We have been having discussions in the Dev Team about the policies we want to adopt, or keep from those we already have, and one is to prevent as much as possible the amount of breakage from one major version to another and, to some extent, what features we want to keep having in CMSMS as a product in the long run. The fact that we use external libraries, such as Smarty, doesn't mean that we are going to stop having the features we are set to keep supporting regardless of what the libraries' developers may have in mind for their own roadmap, and to that extent, at some point our version of Smarty was even a bit modified to be integrated and supported the way we wanted to. That has no longer been the case for some time, but some of the needed mechanisms to allow us to do some customization are still in place so that shouldn't be a worry unless we explicitly announce we are going to deprecate anything ourselves either on our own or to keep inline with the libraries' developers decisions. Integration also means that, if needed, we will support ourselves any modified library to fit our needs, regardless of what the libraries modifications may or may not bring. There are a lot of plans for the next major version of CMSMS and all that will be made public when we are ready to do so. If any of the next versions of CMSMS will break functionalities, that will be extensively publicized, these features will be deprecated with plenty of time for both us and our users base to be able to adapt to new options, that we will make sure that will be available.
Any other considerations about this theme are just conjectures, nothing more. We will keep updating Smarty as needed, not always to the latest version as sometimes versions are not yet mature enough to be usable with CMS Made Simple, but as possible and required. Since we use Smarty even for our installer and it has some very specific requirements to be usable in a number of different environments, there may be times when both libraries will be out of sync in terms of used versions for each.
But as things may change, we will keep our community up to date to what is coming next.
We only ask a bit of patience for now as there is a lot going on.
Thanks