v4.3.2

What's Changed

• Remove md5 modifier from debug.tpl by @j-applese3d in #871
• muteUndefinedOrNullWarnings() now also mutes PHP8 warnings for undefi… by @wisskid in #891

New Contributors

• @j-applese3d made their first contribution in #871

Full Changelog: v4.3.1...v4.3.2

v4.3.1

Security

• Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447.

Fixed

• $smarty->muteUndefinedOrNullWarnings() now also mutes PHP7 notices for undefined array indexes #736
• $smarty->muteUndefinedOrNullWarnings() now treats undefined vars and array access of a null or false variables
  equivalent across all supported PHP versions
• $smarty->muteUndefinedOrNullWarnings() now allows dereferencing of non-objects across all supported PHP versions #831
• PHP 8.1 deprecation warnings on null strings in modifiers #834

v3.1.48

Security

• Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447.

Fixed

• Output buffer is now cleaned for internal PHP errors as well, not just for Exceptions #514

v4.3.0

What's Changed

• clean output buffer for Throwable instead of just Exception by @wisskid in #797
• Fix wrong indentation in libs/plugins/modifier.capitalize.php by @MrPetovan in #802
• fix compilation for caching templates by @Storyxx in #801
• Fix Variable Expression by @JonisoftGermany in #808
• Silence deprecation errors for strtime in PHP8.1 or higher by @wisskid in #811
• Fixed PHP8.1 deprecation errors passing null to parameter in trim by @IT-Experte in #807
• Re-organize all testrunners to use the same script(s). by @wisskid in #812
• Fixed PHP8.1 deprecation errors in strip_tags by @wisskid in #803
• #155 Adapt Smarty upper/lower functions to be codesafe (e.g. for Turkish locale) by @asmecher in #586
• Bug fix for underscore in template name by @EDCScott in #581
• Using PHP functions as modifiers now triggers a deprecation notice. by @wisskid in #814
• Use 'DIR' instead of 'dirname(FILE)' by @MekDrop in #817
• Fixed several typos and grammar errors by @AndrewDawes in #821
• PHP8.2 compatibility by @Progi1984 in #775
• Make SmartyCompilerException play nicer with error handler libraries by @Hunman in #782
• Change file permissions for directories and respect umask for files by @wisskid in #828

New Contributors

• @MrPetovan made their first contribution in #802
• @Storyxx made their first contribution in #801
• @asmecher made their first contribution in #586
• @EDCScott made their first contribution in #581
• @MekDrop made their first contribution in #817
• @AndrewDawes made their first contribution in #821
• @Progi1984 made their first contribution in #775

Full Changelog: v4.2.1...v4.3.0

v4.2.1

If you use the {mailto} plugin in your templates, please check if you are escaping the address value explicitly like this {mailto address=$htmladdress|escape}. This could cause problems through double escaping.

What's Changed

Security

• Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

• Fixed PHP8.1 deprecation errors in modifiers (upper, explode, number_format and replace) #755 and #788
• Fixed PHP8.1 deprecation errors in capitalize modifier #789
• Fixed use of rand() without a parameter in math function #794
• Fixed unselected year/month/day not working in html_select_date #395

New Contributors

• @mfettig made their first contribution in #755

Full Changelog: v4.2.0...v4.2.1

v3.1.47

If you use the {mailto} plugin in your templates, please check if you are escaping the address value explicitly like this {mailto address=$htmladdress|escape}. This could cause problems through double escaping.

Security

• Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

• Fixed use of rand() without a parameter in math function #794
• Fixed unselected year/month/day not working in html_select_date #395

v4.2.0

What's Changed

• add local testrunners for all supported PHP versions using docker. by @wisskid in #770
• Fix PHP 8.1 htmlspecialchars deprecation by @gkreitz in #766
• Do not use obsolete smarty properties '_dir_perms', '_file_perms', 'p… by @wisskid in #772
• Update to HTML5-syntax in debug template by @JonisoftGermany in #599
• Merge branch 'fix-issue-549-v3' of github.com:AnrDaemon/smarty into A… by @wisskid in #771
• Fixed second param of unescape modifier by @wisskid in #778

New Contributors

• @gkreitz made their first contribution in #766
• @JonisoftGermany made their first contribution in #599

Full Changelog: v4.1.1...v4.2.0

v3.1.46

What's Changed

• Fixed replace modifier by converting encoding if needed by @AnrDaemon in #740
• Fixed second param of unescape modifier by @wisskid in #779

Full Changelog: v3.1.45...v3.1.46

v4.1.1

Security

• Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

• Exclude docs and demo from export and composer #751
• PHP 8.1 deprecation notices in demo/plugins/cacheresource.pdo.php #706
• PHP 8.1 deprecation notices in truncate modifier #699
• Math equation max(x, y) didn't work anymore #721
• Fix PHP 8.1 deprecated warning when calling rtrim #743
• PHP 8.1: fix deprecation in escape modifier #727

v3.1.45

Security

• Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

• Math equation max(x, y) didn't work anymore #721