https://github.com/systopia/smarty-user-content-policy
https://github.com/systopia/smarty-user-content-policy
civicrm civicrm-extension civicrm-extensions
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/systopia/smarty-user-content-policy
- Owner: systopia
- License: other
- Created: 2024-06-24T12:34:05.000Z (11 months ago)
- Default Branch: master
- Last Pushed: 2024-06-26T09:09:17.000Z (11 months ago)
- Last Synced: 2024-06-26T14:16:22.574Z (11 months ago)
- Topics: civicrm, civicrm-extension, civicrm-extensions
- Language: PHP
- Homepage:
- Size: 32.2 KB
- Stars: 0
- Watchers: 5
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# Smarty User Content Policy
This extension makes changes to the *Smarty* User Content Policy introduced with CiviCRM versions `5.74.4` and `5.69.6`,
most notably allowing the use of the `{crmAPI}` *Smarty* tag in user content (such as message templates, mailings,
scheduled reminders, etc.), which is forbidden by the default user content policy.
When you have message templates (or other *Smarty* templates in configuration) that make use of the `{crmAPI}` *Smarty*
tag and can't replace them with something else, this extension re-allows that. It will, however, place an error message
in the status report, as this is effectively re-opening the security hole that got closed by introducing that strict
policy in the first place. But it gives you time to investigate where in your templates the `{crmAPI}` tag is being used
and replcae it (e.g. with tokens).
For more information on the Smarty User Content Policy introduced with the aforementioned security updates, see the
[update announcement](https://civicrm.org/blog/dev-team/civicrm-5744-5696-esr-security-release) and the
[security advisory](https://civicrm.org/advisory/civi-sa-2024-03-smarty-security-policy).
As a mid-term solution, you might consider another extension that provides a less insecure version of the `{crmAPI}`
tag: [smarty_reduced_security](https://github.com/eileenmcnaughton/smarty_reduced_security) - however, this is also
considered a transitional solution; also, it alters your templates in the database, so it is not easily reversable.
This extension *might* transform into a configuration interface for the *Smarty* security policy, with options for
(dis-)allowing certain *Smarty* tags and modifiers and PHP functions, but silently removes the `{crmAPI}` tag from the
list of disallowed *Smarty* tags for now.