<HTML
><HEAD
><TITLE
>$security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Smarty Manual"
HREF="index.html"><LINK
REL="UP"
TITLE="Smarty Class Variables"
HREF="api.variables.html"><LINK
REL="PREVIOUS"
TITLE="$php_handling"
HREF="variable.php.handling.html"><LINK
REL="NEXT"
TITLE="$secure_dir"
HREF="variable.secure.dir.html"><META
HTTP-EQUIV="Content-type"
CONTENT="text/html; charset=ISO-8859-1"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Smarty Manual</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="variable.php.handling.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 12. Smarty Class Variables</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="variable.secure.dir.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="variable.security"
></A
>$security</H1
><P
> <TT
CLASS="parameter"
><I
>$security</I
></TT
> can be <TT
CLASS="constant"
>TRUE</TT
> or <TT
CLASS="constant"
>FALSE</TT
>,
defaults to <TT
CLASS="constant"
>FALSE</TT
>. Security is good for
situations when you have untrusted parties editing the templates
eg via ftp, and you want to reduce the risk of system
security compromises through the template language. Turning on
security enforces the following rules to the template language,
unless specifially overridden with <A
HREF="variable.security.settings.html"
> <TT
CLASS="parameter"
><I
>$security_settings</I
></TT
></A
>:
</P
><P
></P
><UL
><LI
><P
>If <A
HREF="variable.php.handling.html"
><TT
CLASS="parameter"
><I
>$php_handling</I
></TT
></A
>
is set to <TT
CLASS="constant"
>SMARTY_PHP_ALLOW</TT
>, this is
implicitly changed to <TT
CLASS="constant"
>SMARTY_PHP_PASSTHRU</TT
>
</P
></LI
><LI
><P
> PHP functions are not allowed in <A
HREF="language.function.if.html"
><TT
CLASS="varname"
>{if}</TT
></A
> statements,
except those specified in the
<A
HREF="variable.security.settings.html"
><TT
CLASS="parameter"
><I
>$security_settings</I
></TT
></A
>
</P
></LI
><LI
><P
> Templates can only be included from directories
listed in the
<A
HREF="variable.secure.dir.html"
><TT
CLASS="parameter"
><I
>$secure_dir</I
></TT
></A
> array
</P
></LI
><LI
><P
> Local files can only be fetched from directories listed in the
<A
HREF="variable.secure.dir.html"
><TT
CLASS="parameter"
><I
>$secure_dir</I
></TT
></A
>
array using <A
HREF="language.function.fetch.html"
><TT
CLASS="varname"
>{fetch}</TT
></A
>
</P
></LI
><LI
><P
> <A
HREF="language.function.php.html"
><TT
CLASS="varname"
>{php}{/php}</TT
></A
> tags are not allowed
</P
></LI
><LI
><P
> PHP functions are not allowed as modifiers, except those specified in the
<A
HREF="variable.security.settings.html"
><TT
CLASS="parameter"
><I
>$security_settings</I
></TT
></A
>
</P
></LI
></UL
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="variable.php.handling.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="variable.secure.dir.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>$php_handling</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="api.variables.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>$secure_dir</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
