The "vulnerability" issues explained

[12-April-2005] It seems that some people have been misled about the recent vulnerability issues (and fixes) related to Smarty. Example, this security bulletin is just dead wrong. The vulnerability issues do NOT open your server to remote attack (as this suggests.) They only apply to Smarty users that have untrusted third-parties editing template files. By default, you can execute PHP functions in the templates, such as {php} echo 'foo'; {/php}. When template security is enabled, it prohibits PHP function execution in the templates. There have been a few loopholes discovered and patched. If you do not use template security features, then none of the vulnerability issues apply to you.

Smarty 2.6.9 Released

[31-March-2005] This is a patch release for those using the security features of Smarty. Variable function calls such as $foo() in {if} statements and {math} equations allowed PHP function execution from within a template, even with security enabled. Variable function calls have been disabled completely. If you are using security features, this upgrade is highly recommended.

ChangeLog here. download it here.

Smarty 2.6.8 Released

[21-March-2005] For those using template security: A vulnerability in the regex_replace modifier has been fixed that allowed PHP code to be executed from a template, even with template security enabled. If you are using template security features, it is highly recommended to upgrade, or at least replace the modifier plugin. A problem with the {strip}{/strip} tags (that was introduced in 2.6.7) has been fixed. Casting objects to arrays in the {foreach} "item" attribute has been addressed.

ChangeLog here. download it here.

Sample Application: Guestbook

[15-March-2005] There is a new sample application available from the navigation bar. This sample is to demonstrate using Smarty for presentation separation, including some form validation and database access.

Smarty at NOTACON

[01-March-2005] Mark Stanislav will be giving a talk, "Get Smart[y]: The Smarty Template Engine for PHP" at NOTACON (Northern Ohio Technological Advancement Conference). The conference will be held April 8th-10th.

Smarty goes to Mexico

[15-February-2005] Once again, John Coggeshall presents Programming Smarty at the php|Tropics '05 convention in Cancun, Mexico.

HTML_QuickForm and Smarty

[15-February-2005] David Perrin brings us HTML_QuickForm and Smarty in the February edition of php|arch, don't miss your copy!

Smarty 2.6.7 Released

[3-February-2005] Those using Smarty with template security enabled: a vulnerability was discovered that allows PHP code to be executed from within a template file, even with the template security features enabled. This has been fixed in this release among other minor fixes and ehancements which can be found in the ChangeLog.

ChangeLog here. download it here.

Italian docs are available

[17-December-2004] Gianluca Gillini provided an italian translation of the docs. You can read it online here or get it here.

Smarty 2.6.6 Released

[13-October-2004] This release is focused on minor fixes. The 'core' directory has been moved to 'internals', so be sure to do a clean re-install and clear the compile/cache files as usual.

ChangeLog here. download it here.

Spanish docs released

[07-October-2004] Mario Ramírez provided a spanish translation of the docs. You can read it online here or get it here.

Smarty 2.6.5 Released

[13-September-2004] This release fixes object syntax parsing issues introduced in 2.6.4. If you are using 2.6.4, it is highly recommended to update. Also when template security is enabled, direct access to PHP constants is now disabled by default.

ChangeLog here. download it here.

Smarty 2.6.4 Released

[7-September-2004] This release is focused on minor fixes and minor new features.

ChangeLog here. download it here.

Smarty 2.6.3 Released

[16-June-2004] This release is focused on minor fixes and minor new features.

ChangeLog here. download it here.

Smarty Russian docs available

[21-May-2004] Russian docs are now available! Thanks goes to Sergei Suslenkov and Antony Dovgal.

Smarty Makes the Front Page

[15-April-2004] John Coggeshall talks about Smarty and Internationalization in the April 2004 issue of php|architect. Don't miss your copy ;)

Smarty 2.6.2 Released

[17-February-2004] This is mostly a minor bug fix release, see the ChangeLog. Important Note: due to the overwhelming FAQs regarding safe_mode, $use_sub_dirs now defaults to false. If you want Smarty to continue to create sub-directories in your $compile_dir and $cache_dir, you must explicitly set this to true. Clear your compile_dir and cache_dir upon upgrade as usual.

ChangeLog here. download it here.

Smarty 2.6.1 Released

[16-January-2004] This release is focused on minor fixes and minor new features. $global_assign has been removed, assign globals explicitly if you need them. $SCRIPT_NAME is still assigned for backward compatability. You can make your debug console persist by using SMARTY_DEBUG=on or SMARTY_DEBUG=off in the URL. Superglobals $_* are now used by default instead of $HTTP_*_VARS.

ChangeLog here. download it here.

Smarty Takes a Cruise

[23-December-2003] John Coggeshall will be wrapping up the php|Cruise '04 with a session discussing Smarty.

Smarty Portuguese docs available

[23-December-2003] Brazilian Portuguese docs are now available! Thanks goes to Fernando Correa da Conceição, Marcelo Perreira Fonseca da Silva and Taniel Franklin for their hard work on this project.

Beyond the template engine

[19-December-2003] Another interesting article about template engines by Brian Lozier. There are plenty of references to Smarty in this one! Discuss it here.

Smarty 2.6.0 Released

[19-November-2003] The long awaited official stable release! A lot of changes went into this one, Boots made a nice Release Notes page for it, thanks Boots! Also see the ChangeLog for full details. Remember to clear out the compiled and cached files anytime you update Smarty. If you're using an accelerator, you might want to clear out those files and restart Apache too.

Release Notes here. ChangeLog here. download it here.

Smarty 2.6.0 RC3 Released

[13-Nov-2003] Release Candidate 3. See the ChangeLog for full details.

Smarty IRC channel

[11-Oct-2003] Join fellow Smarty users in a chat! Connect to the freenode IRC network (irc.freenode.org) and join channel #smarty.

Smarty 2.6.0 RC2 Released

[8-Oct-2003] Release Candidate 2. See the ChangeLog for full details.

Forum RSS feed

[7-Oct-2003] You can now access the last 10 posts from the forum via an RSS feed, available here.

Thanks boots!

Smarty 2.6.0 RC1 Released

[11-Aug-2003] Release Candidate 1. Notable new features are cachable/non-cachable function attributes, default resource type configuration, simple template math and many internal optimizations. See the ChangeLog for full details.

Smarty & SQL tutorial

[17-Jun-2003] An introductory article for using Smarty and MySQL together. Written by Tom Calthrop.

Industrial Strength MVC

[05-Jun-2003] Industrial Strength MVC is the sample article for the June issue of PHP|Architect written by Jason E. Sweat. It is available for download here The article covers the development of a simple database application using Phrame MVC framework and Smarty for views. In particular, I implemented the "Factory Pattern" to couple view objects with Smarty. Code downloads are available on the same page as the article. Feel free to comment in the Smarty forum or on the php|a discussion board.

Smarty French docs available

[28-April-2003] French docs are now available! Thanks goes to Arnaud Cogoluègnes and Gérald Croës for their hard work on this project.

The Logic of Templates

[23-April-2003] Here is an interesting article from Brian Lozier, the author of the btemplate engine. He addresses his thoughts behind separating business logic and presentation logic. Discuss it here.

Weblog from Simon

[23-April-2003] Just some interesting stuff to read with user comments.

Smarty: A closer look

[23-April-2003] An informative article about the more advanced features of Smarty. Discuss it here.

The Dynamic Duo of PEAR::DB and Smarty

[23-April-2003] An informative article about using Smarty with database access. Discuss it here.

Smarty Discussion Forums!

[17-April-2003] Smarty now has an online forums available for the smarty user community. This is in addition to the mailing lists, so be sure to join both if you don't want to miss anything.

Smarty 2.5.0 Released

[11-April-2003] This is the official stable release. The backtic syntax that was introduced in 2.5.0-RC1 changed slightly, and a few other minor adjustments have been made since RC2. See the ChangeLog for full details. Remember to clear out the compiled and cached files anytime you update Smarty. This can be done via "rm -rf", or use the clear_all_cache() and clear_compiled_tpl() functions. If you're using PHPA, restart Apache as well.

Release Notes here. ChangeLog here. download it here.

Smarty 2.5.0 RC2 Released

[26-March-2003] Release Candidate 2. Many things have been stabalized since RC1, this one is pretty solid so this will be the last candidate before the 2.5.0 release. The SGML documentation files have been removed from the tarballs, get them from CVS if you have a need for them.

Release Notes here. ChangeLog here. download it here.

Smarty German docs available

[07-March-2003] German docs are now available! Thanks goes to Andreas Halter and Thomas Schulz for their hard work on this project.

Smarty 2.5.0 RC1 Released

[05-March-2003] Release Candidate 1. All $smarty vars can now be dynamic, such as $smarty.get.$foo. A new class function get_function_object() gets you a reference to an assigned object, useful within your own custom functions. append() can now merge as well as append with a third optional attribute. A new class function get_config_vars() was added, and get_template_vars() can now be used to get individual vars. Full variable syntax is now supported within double quotes via a backtick (`) syntax. Files created by smarty are now written to a tmp file then renamed to avoid file lock retention. html_radios, html_checkboxes, html_table, html_image, nl2br functions added.

Release Notes here. ChangeLog here. download it here.