[Critical] Security Bug (inject PHP code if enable smarty cache)

[GoogleCodeExporter]

Hi guys, i met a critical smarty problem , i want to confirm whether this is a 
bug

1. smarty_cache = true, 
php_handling = (Any option)

2.
test.tpl 

<html>
{$googleStatististicCode  nofilter}
</html>

3.  $googleStatististicCode ="<script language=\"php\">phpinfo();</script>"

4. test.tpl  would be compiled & cache as 
<html>
<script language="php">phpinfo();</script>
</html>

5. and this cached page would run  PHP code 
    php_handling does nothing to remove PHP code like 
 <script language="php">xxxx</script>

Any use can use this bug to inject PHP Code and run it as will

Please Confirm whether this is a critical security bug ?

Or , is there anyway to remove/esacpe code like   <script 
language="php">phpinfo();</script>

Original issue reported on code.google.com by Qiang.Yu...@gmail.com on 5 Dec 2013 at 10:03

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I fix this bug , try to use an output filter to remove all <script 
language="php">

function smarty_helper_security_output_filter($source, Smarty_Internal_Template 
$smartyTemplate)
{
    return preg_replace('/<scripte[^>]*language[^>]*>(.*?)<\/script>/is', "", $source);
}

$smarty->registerFilter('output', 'smarty_helper_security_output_filter');

Original comment by Qiang.Yu...@gmail.com on 5 Dec 2013 at 11:58

[GoogleCodeExporter]

This is not a bug of Smarty. It is out of the scope of smarty to check valid 
html tags for security risks. 

The programmer did open security holes when disabling escaping on variables or 
passing $_GET or $_POST variables without sanitation.

Of cause an output filter does solve this special case 

Original comment by Uwe.Tews@googlemail.com on 7 Dec 2013 at 12:29

• Changed state: WontFix