Many applications allow users to modify templates and given that Smarty clearly states that it has a sandbox it’s likley that this functionality will be exposed as intended by developers. We have to assume an environment in which a template injection could occur. Smarty also has security features that can further enforce granular restrictions on templates. Smarty insulates the templates from PHP, creating a controlled separation of presentation from business logic. SANDBOXING: When PHP is mixed with templates, there are no restrictions on what type of logic can be injected into a template. Why is seperating PHP from templates important?
0 Comments
Leave a Reply. |