Warning: I am totaly new to smarty !
I have inherited a bunch of smarty templates that capture and display user input . So far ok.
However on displaying the data in the browser the smarty templates do not escape any html input made by a user instead it is rendered. If the user entered <script>alert('alert')</script>
this
will produce an alert box !
I set $escape_html
in the Smarty.class.php had all templates compiled but no success.
I have been reading about modifiers {string|htmlentities}
but still don't get it, where to apply this.
How can I tell smarty to apply htmlentities
to all output/display strings ?
Do I have to crawl into all the template files to achive this ?
Smarty 'version' => '4.2.0' I have deleted alle compiled templates befor trying anything new. Have set the public smarty class variable $escape_html=true, but it has no effect. I still get my alert boxes.
STUPID ME !
RTFM !
from the documentation
Template designers can choose to selectively disable this feature by adding the nofilter flag: {$variable nofilter}.
That is what the template designer did in several places...
{$datenreport[r].fruhere_Beschwerden|nl2br nofilter}
Because of nofilter set the section in class Smarty_Internal_Compile_Private_Print_Expression
$output = "htmlspecialchars((string) {$output}, ENT_QUOTES, addslashes(Smarty::$_CHARSET) . "')";
Is skiped.
All is fine