github smarty-php/smarty v5.8.2
on GitHub

7 hours ago

What's Changed

  • Security: prevent symlinks inside a trusted secure_dir/template directory from being used to read files outside of it (CWE-22 path traversal), affecting {include} and {fetch} of local files
  • Security: {html_image} now escapes the file, path_prefix, href/link, width and height attributes (it already escaped alt and pass-through attributes), and {html_select_date} casts day_size/month_size/year_size to int (matching {html_select_time}), preventing untrusted values passed into these attributes from breaking out of the generated HTML (CWE-79)
  • Security: {fetch} no longer follows HTTP redirects for remote resources while a security policy is active, preventing an open redirect on a trusted host from bypassing trusted_uri (CWE-918 server-side request forgery)
  • Fixed "Attempt to assign property step on null" error when using a {for} loop inside a block of an extended template #1036

New Contributors

Full Changelog: v5.8.1...v5.8.2

Check out latest releases or
releases around smarty-php/smarty v5.8.2

Don't miss a new smarty release

NewReleases is sending notifications on new releases.

Get notifications