Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Smarty registered classes check prevents use of class constants to avoid typo bugs in templates #1028

Open
arkonan opened this issue Jun 5, 2024 · 3 comments
Open

Smarty registered classes check prevents use of class constants to avoid typo bugs in templates #1028

arkonan opened this issue Jun 5, 2024 · 3 comments

Comments

@arkonan
Copy link

arkonan commented Jun 5, 2024

My team makes extensive use of PHP class constants in our Smarty templates to avoid problems with typos in logic checks. With the new requirement that all classes be registered to access them statically our templates now generate deprecation warnings for each class constant.

It would be nice if class constants references (as opposed to static method calls) did not require class registration.

Alternatively I would like a supported way of overriding this behavior in a security policy. For example I would expect that overriding isTrustedStaticClass() or isTrustedStaticClassAccess() in my security policy would allow me to suppress the registered class requirement. However since the check for class registration is done outside the security policy this does not work unless the security policy also registers the class before returning. Calling Smarty::registerClass() from inside my security policy currently works but does not seem like it is a supported solution to the problem.
@asmecher
Copy link
Contributor

Agreed, using class constants in templates helps us from keeping magic strings and numbers from proliferating through the codebase, and they're easy to grep for when determining the impact of a change. Having to add a ton of registerClass calls makes this painful and I don't see the risk of just allowing constants to be accessed as a general rule.

@wisskid
Copy link
Contributor

wisskid commented Jul 4, 2024

Using class constants should not trigger the notice. This is probably an unintended side effect of #880

@wisskid wisskid mentioned this issue Jul 5, 2024
Open
@asmecher asmecher mentioned this issue Jul 23, 2024
Open
@ssigwart
Copy link
Contributor

I think this is referring to an issue I'm running into. Here are example files:

index.php

class MyConfig
{
	const VAR1 = 'MyConstant';
}

$smarty = new Smarty();
$smarty->setTemplateDir('./templates');
$smarty->setCompileDir('./templates_c');
$smarty->display('index.tpl');

index.tpl

Constant: {MyConfig::VAR1}

In Smarty 4.5.5, this produces this output:

PHP Deprecated:  Using unregistered static method "MyConfig::VAR1" in a template is deprecated and will be removed in a future release. Use Smarty::registerClass to explicitly register a class for access. in /path/to/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php on line 2428

Deprecated: Using unregistered static method "MyConfig::VAR1" in a template is deprecated and will be removed in a future release. Use Smarty::registerClass to explicitly register a class for access. in /path/to/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php on line 2428
Constant: MyConstant

In Smarty 5.4.2, it works as expected with no deprecation warnings. In Smarty 4, adding $smarty->registerClass('MyConfig', 'MyConfig'); does seem to solve this, but it's not ideal.

@ssigwart ssigwart mentioned this issue Nov 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@asmecher @arkonan @ssigwart @wisskid