Page 1 of 1
[closed] Syntax error / smarty security
Posted: Wed Jun 03, 2015 7:25 pm
by Franck
I'm not sure where to report this, so don't hesitate to move the topic if needed.
I'm having the following error since I updated to latest built r173-10021:
Code: Select all
syntax error "tpl_body:6" line 1 "{assign 'MyClass' cgsimple::get_root_alias()|default:$page_alias}" access to static class 'cgsimple' not allowed by security setting
Is it a bug or something? Don't know what to do honestly. If anyone has a clue... Thank you.
Re: Syntax error / smarty security
Posted: Wed Jun 03, 2015 8:01 pm
by calguy1000
We implemented the smarty security policy to try to ensure that most users couldn't do silly things (without at least knowing that they were doing silly things) in the templates, including calling functions that they shouldn't be.
This means, that by default from now on only a limited set of php functions can be called from within smarty. Stuff like, isset(), count(), strlen(), is_array(), etc. basically php functions that are display related, and not related to gathering or modifying data. (it's all about view/controller type logic).
That being said... there is no way we can have this 'security policy' be tight for most sites that need it (the sites that allow anonymous users to enter data AND pass that data through smarty), and allow the advanced users to do cool stuff.
Therefore, there is now a new config variable available in $config (there are actually a few, you should look at the reference doc included in the install). that allows you to put whatever you want into smarty.
$config['permissive_smarty'] = 1;
will do the trick.
Re: Syntax error / smarty security
Posted: Wed Jun 03, 2015 8:08 pm
by Franck
Oh thanx, it works now.
I'll have a look at the reference doc for sure.