<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>$security</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.75.1">
<link rel="home" href="index.html" title="Smarty Manual">
<link rel="up" href="api.variables.html" title="Chapter 12. Smarty Class Variables">
<link rel="prev" href="variable.php.handling.html" title="$php_handling">
<link rel="next" href="variable.secure.dir.html" title="$secure_dir">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">$security</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="variable.php.handling.html">Prev</a> </td>
<th width="60%" align="center">Chapter 12. Smarty Class Variables</th>
<td width="20%" align="right"> <a accesskey="n" href="variable.secure.dir.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="sect1" title="$security">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="variable.security"></a>$security</h2></div></div></div>
<p>
<em class="parameter"><code>$security</code></em> can be <code class="constant">TRUE</code> or <code class="constant">FALSE</code>,
defaults to <code class="constant">FALSE</code>. Security is good for
situations when you have untrusted parties editing the templates
eg via ftp, and you want to reduce the risk of system
security compromises through the template language. Turning on
security enforces the following rules to the template language,
unless specifially overridden with <a class="link" href="variable.security.settings.html" title="$security_settings">
<em class="parameter"><code>$security_settings</code></em></a>:
</p>
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
<li class="listitem"><p>If <a class="link" href="variable.php.handling.html" title="$php_handling"><em class="parameter"><code>$php_handling</code></em></a>
is set to <code class="constant">SMARTY_PHP_ALLOW</code>, this is
implicitly changed to <code class="constant">SMARTY_PHP_PASSTHRU</code>
</p></li>
<li class="listitem"><p>
PHP functions are not allowed in <a class="link" href="language.function.if.html" title="{if},{elseif},{else}"><code class="varname">{if}</code></a> statements,
except those specified in the
<a class="link" href="variable.security.settings.html" title="$security_settings"><em class="parameter"><code>$security_settings</code></em></a>
</p></li>
<li class="listitem"><p>
Templates can only be included from directories
listed in the
<a class="link" href="variable.secure.dir.html" title="$secure_dir"><em class="parameter"><code>$secure_dir</code></em></a> array
</p></li>
<li class="listitem"><p>
Local files can only be fetched from directories listed in the
<a class="link" href="variable.secure.dir.html" title="$secure_dir"><em class="parameter"><code>$secure_dir</code></em></a>
array using <a class="link" href="language.function.fetch.html" title="{fetch}"><code class="varname">{fetch}</code></a>
</p></li>
<li class="listitem"><p>
<a class="link" href="language.function.php.html" title="{php}"><code class="varname">{php}{/php}</code></a> tags are not allowed
</p></li>
<li class="listitem"><p>
PHP functions are not allowed as modifiers, except those specified in the
<a class="link" href="variable.security.settings.html" title="$security_settings"><em class="parameter"><code>$security_settings</code></em></a>
</p></li>
</ul></div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="variable.php.handling.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="api.variables.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="variable.secure.dir.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">$php_handling </td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> $secure_dir</td>
</tr>
</table>
</div>
</body>
</html>
