Jump to content

Smarty Security Policy - add to default modifiers


gbotica

Recommended Posts

Hi,

 

I am needing to update my email template Smarty Security Policy. I've had a look around the forum and it seems to be the source of some frustration.

 

I have an email template I'm implementing which requires the modifier 'strpos'. The daily cron is throwing an error, stating that this modifier is not allowed.

 

My question is: there is a list of stated "default" modifiers (http://docs.whmcs.com/Smarty_Security_Policy), but according to the wording on the page, setting the policy as per below would...

 

" ... restrict the use of variable modifiers so that strpos was the only variable modifier permitted ..."

 

$smarty_security_policy = array(
   'mail' => array(
       'php_modifiers' => array('strpos')
   )
);

 

... which means if the WHCMCS Smarty Security Policy page is to be taken literally I would need to include the default modifiers as well, in order to retain the defaults and add 'strpos'.

 

$smarty_security_policy = array(
   'mail' => array(
       'php_modifiers' => array('strpos','escape','count','urlencode','ucfirst','date_format')
   )
);

 

I realise with a bit of messing about I could figure out which is the required method, but thought I'd ask if anyone knows the answer?

 

Thanks in advance for your help!

Link to comment
Share on other sites

I realise with a bit of messing about I could figure out which is the required method, but thought I'd ask if anyone knows the answer?

that's the spirit!

 

if it helps, this is from our v7.1.2 dev...

 

// Smarty custom email based template policy:
$smarty_security_policy = array(
   'mail' => array(
       'php_functions' => array(
           'strstr','string_format','regex_replace','strip_tags','idn_to_ascii','idn_to_utf8',
       ),
   ),
);

if I need to use a function in an email template, I just add it to that list - never had an issue...

Link to comment
Share on other sites

Is this to run PHP in smarty tags in email templates? I used the strpos function in a PHP code in a template file and it executed fine without adding any security policy.

but that's because you're using strpos within {php} tags. :roll:

 

the security policy is about using PHP functions within Smarty in the email templates.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated