smarty-php/smarty (smarty/smarty)
### [`v4.5.3`](https://togithub.com/smarty-php/smarty/releases/tag/v4.5.3)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.5.2...v4.5.3)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.5.2...v4.5.3
### [`v4.5.2`](https://togithub.com/smarty-php/smarty/releases/tag/v4.5.2)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.5.1...v4.5.2)
#### What's Changed
- Fixed argument must be passed by reference error introduced in v4.5.1 [#964](https://togithub.com/smarty-php/smarty/issues/964)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.5.1...v4.5.2
### [`v4.5.1`](https://togithub.com/smarty-php/smarty/releases/tag/v4.5.1)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.5.0...v4.5.1)
#### What's Changed
- Using PHP functions and static class methods in expressions now also triggers a deprecation notice by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/880](https://togithub.com/smarty-php/smarty/pull/880)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.4.0...v4.5.1
### [`v4.5.0`](https://togithub.com/smarty-php/smarty/compare/v4.4.1...v4.5.0)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.4.1...v4.5.0)
### [`v4.4.1`](https://togithub.com/smarty-php/smarty/releases/tag/v4.4.1)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.4.0...v4.4.1)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.4.0...v4.4.1
### [`v4.4.0`](https://togithub.com/smarty-php/smarty/releases/tag/v4.4.0)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.5...v4.4.0)
#### What's Changed
- Fix incorrect compilation of expressions when escape_html=true by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/932](https://togithub.com/smarty-php/smarty/pull/932)
- Prevent deprecation notices for implode, json_encode and substr modif… by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/942](https://togithub.com/smarty-php/smarty/pull/942)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.3.5...v4.4.0
### [`v4.3.5`](https://togithub.com/smarty-php/smarty/compare/v4.3.4...v4.3.5)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.4...v4.3.5)
### [`v4.3.4`](https://togithub.com/smarty-php/smarty/releases/tag/v4.3.4)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.3...v4.3.4)
#### What's Changed
- Fix strip_tags modifier for falsy input. by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/893](https://togithub.com/smarty-php/smarty/pull/893)
- Fix use of negative numbers in math equations (4.3 port of [#903](https://togithub.com/smarty-php/smarty/issues/903)) by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/904](https://togithub.com/smarty-php/smarty/pull/904)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.3.2...v4.3.4
### [`v4.3.3`](https://togithub.com/smarty-php/smarty/compare/v4.3.2...v4.3.3)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.2...v4.3.3)
### [`v4.3.2`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#432---2023-07-19)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.1...v4.3.2)
##### Fixed
- `$smarty->muteUndefinedOrNullWarnings()` now also mutes PHP8 warnings for undefined properties
### [`v4.3.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#431---2023-03-28)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.0...v4.3.1)
##### Security
- Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447.
##### Fixed
- `$smarty->muteUndefinedOrNullWarnings()` now also mutes PHP7 notices for undefined array indexes [#736](https://togithub.com/smarty-php/smarty/issues/736)
- `$smarty->muteUndefinedOrNullWarnings()` now treats undefined vars and array access of a null or false variables
equivalent across all supported PHP versions
- `$smarty->muteUndefinedOrNullWarnings()` now allows dereferencing of non-objects across all supported PHP versions [#831](https://togithub.com/smarty-php/smarty/issues/831)
- PHP 8.1 deprecation warnings on null strings in modifiers [#834](https://togithub.com/smarty-php/smarty/pull/834)
### [`v4.3.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#430---2022-11-22)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.2.1...v4.3.0)
##### Added
- PHP8.2 compatibility [#775](https://togithub.com/smarty-php/smarty/pull/775)
##### Changed
- Include docs and demo in the releases [#799](https://togithub.com/smarty-php/smarty/issues/799)
- Using PHP functions as modifiers now triggers a deprecation notice because we will drop support for this in the next major release [#813](https://togithub.com/smarty-php/smarty/issues/813)
- Dropped remaining references to removed PHP-support in Smarty 4 from docs, lexer and security class. [#816](https://togithub.com/smarty-php/smarty/issues/816)
- Support umask when writing (template) files and set dir permissions to 777 [#548](https://togithub.com/smarty-php/smarty/issues/548) [#819](https://togithub.com/smarty-php/smarty/issues/819)
##### Fixed
- Output buffer is now cleaned for internal PHP errors as well, not just for Exceptions [#514](https://togithub.com/smarty-php/smarty/issues/514)
- Fixed recursion and out of memory errors when caching in complicated template set-ups using inheritance and includes [#801](https://togithub.com/smarty-php/smarty/pull/801)
- Fixed PHP8.1 deprecation errors in strip_tags
- Fix Variable Usage in Exception message when unable to load subtemplate [#808](https://togithub.com/smarty-php/smarty/pull/808)
- Fixed PHP8.1 deprecation notices for strftime [#672](https://togithub.com/smarty-php/smarty/issues/672)
- Fixed PHP8.1 deprecation errors passing null to parameter in trim [#807](https://togithub.com/smarty-php/smarty/pull/807)
- Adapt Smarty upper/lower functions to be codesafe (e.g. for Turkish locale) [#586](https://togithub.com/smarty-php/smarty/pull/586)
- Bug fix for underscore and limited length in template name in custom resources [#581](https://togithub.com/smarty-php/smarty/pull/581)
### [`v4.2.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#421---2022-09-14)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.2.0...v4.2.1)
##### Security
- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://togithub.com/smarty-php/smarty/issues/454)
##### Fixed
- Fixed PHP8.1 deprecation notices in modifiers (upper, explode, number_format and replace) [#755](https://togithub.com/smarty-php/smarty/pull/755) and [#788](https://togithub.com/smarty-php/smarty/pull/788)
- Fixed PHP8.1 deprecation notices in capitalize modifier [#789](https://togithub.com/smarty-php/smarty/issues/789)
- Fixed use of `rand()` without a parameter in math function [#794](https://togithub.com/smarty-php/smarty/issues/794)
- Fixed unselected year/month/day not working in html_select_date [#395](https://togithub.com/smarty-php/smarty/issues/395)
### [`v4.2.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#420---2022-08-01)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.1.1...v4.2.0)
##### Fixed
- Fixed problems with smarty_mb_str_replace [#549](https://togithub.com/smarty-php/smarty/issues/549)
- Fixed second parameter of unescape modifier not working [#777](https://togithub.com/smarty-php/smarty/issues/777)
##### Changed
- Updated HTML of the debug template [#599](https://togithub.com/smarty-php/smarty/pull/599)
### [`v4.1.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#411---2022-05-17)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.1.0...v4.1.1)
##### Security
- Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221
##### Fixed
- Exclude docs and demo from export and composer [#751](https://togithub.com/smarty-php/smarty/pull/751)
- PHP 8.1 deprecation notices in demo/plugins/cacheresource.pdo.php [#706](https://togithub.com/smarty-php/smarty/issues/706)
- PHP 8.1 deprecation notices in truncate modifier [#699](https://togithub.com/smarty-php/smarty/issues/699)
- Math equation `max(x, y)` didn't work anymore [#721](https://togithub.com/smarty-php/smarty/issues/721)
- Fix PHP 8.1 deprecated warning when calling rtrim [#743](https://togithub.com/smarty-php/smarty/pull/743)
- PHP 8.1: fix deprecation in escape modifier [#727](https://togithub.com/smarty-php/smarty/pull/727)
### [`v4.1.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#410---2022-02-06)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.4...v4.1.0)
##### Added
- PHP8.1 compatibility [#713](https://togithub.com/smarty-php/smarty/pull/713)
### [`v4.0.4`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#404---2022-01-18)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.3...v4.0.4)
##### Fixed
- Fixed illegal characters bug in math function security check [#702](https://togithub.com/smarty-php/smarty/issues/702)
### [`v4.0.3`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#403---2022-01-10)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.2...v4.0.3)
##### Security
- Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
### [`v4.0.2`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#402---2022-01-10)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.1...v4.0.2)
##### Security
- Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454
### [`v4.0.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#401---2022-01-09)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.0...v4.0.1)
##### Security
- Rewrote the mailto function to not use `eval` when encoding with javascript
### [`v4.0.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#400---2021-11-25)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.48...v4.0.0)
### [`v3.1.48`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.48)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.47...v3.1.48)
##### Security
- Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447.
##### Fixed
- Output buffer is now cleaned for internal PHP errors as well, not just for Exceptions [#514](https://togithub.com/smarty-php/smarty/issues/514)
### [`v3.1.47`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.47)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.46...v3.1.47)
If you use the {mailto} plugin in your templates, please check if you are escaping the address value explicitly like this `{mailto address=$htmladdress|escape}`. This could cause problems through double escaping.
##### Security
- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://togithub.com/smarty-php/smarty/issues/454)
##### Fixed
- Fixed use of `rand()` without a parameter in math function [#794](https://togithub.com/smarty-php/smarty/issues/794)
- Fixed unselected year/month/day not working in html_select_date [#395](https://togithub.com/smarty-php/smarty/issues/395)
### [`v3.1.46`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.46)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.45...v3.1.46)
#### What's Changed
- Fixed replace modifier by converting encoding if needed by [@AnrDaemon](https://togithub.com/AnrDaemon) in [https://github.com/smarty-php/smarty/pull/740](https://togithub.com/smarty-php/smarty/pull/740)
- Fixed second param of unescape modifier by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/779](https://togithub.com/smarty-php/smarty/pull/779)
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.45...v3.1.46
### [`v3.1.45`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.45)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.44...v3.1.45)
##### Security
- Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221
##### Fixed
- Math equation `max(x, y)` didn't work anymore [#721](https://togithub.com/smarty-php/smarty/issues/721)
### [`v3.1.44`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.44)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.43...v3.1.44)
#### What's Changed
- Fixes illegal characters warning in math
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.43...v3.1.44
### [`v3.1.43`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.43)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.42...v3.1.43)
Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.42...v3.1.43
### [`v3.1.42`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.42)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.41...v3.1.42)
Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454
**Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.41...v3.1.42
### [`v3.1.41`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.41)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.40...v3.1.41)
Rewrote the mailto function to not use `eval` when encoding with javascript
### [`v3.1.40`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#3140---2021-10-13)
[Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.39...v3.1.40)
##### Changed
- modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used [https://github.com/smarty-php/smarty/pull/649](https://togithub.com/smarty-php/smarty/pull/649)
##### Security
- More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.1.*
->4.5.*
By merging this PR, the below issues will be automatically resolved and closed:
Release Notes
smarty-php/smarty (smarty/smarty)
### [`v4.5.3`](https://togithub.com/smarty-php/smarty/releases/tag/v4.5.3) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.5.2...v4.5.3) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.5.2...v4.5.3 ### [`v4.5.2`](https://togithub.com/smarty-php/smarty/releases/tag/v4.5.2) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.5.1...v4.5.2) #### What's Changed - Fixed argument must be passed by reference error introduced in v4.5.1 [#964](https://togithub.com/smarty-php/smarty/issues/964) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.5.1...v4.5.2 ### [`v4.5.1`](https://togithub.com/smarty-php/smarty/releases/tag/v4.5.1) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.5.0...v4.5.1) #### What's Changed - Using PHP functions and static class methods in expressions now also triggers a deprecation notice by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/880](https://togithub.com/smarty-php/smarty/pull/880) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.4.0...v4.5.1 ### [`v4.5.0`](https://togithub.com/smarty-php/smarty/compare/v4.4.1...v4.5.0) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.4.1...v4.5.0) ### [`v4.4.1`](https://togithub.com/smarty-php/smarty/releases/tag/v4.4.1) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.4.0...v4.4.1) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.4.0...v4.4.1 ### [`v4.4.0`](https://togithub.com/smarty-php/smarty/releases/tag/v4.4.0) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.5...v4.4.0) #### What's Changed - Fix incorrect compilation of expressions when escape_html=true by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/932](https://togithub.com/smarty-php/smarty/pull/932) - Prevent deprecation notices for implode, json_encode and substr modif… by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/942](https://togithub.com/smarty-php/smarty/pull/942) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.3.5...v4.4.0 ### [`v4.3.5`](https://togithub.com/smarty-php/smarty/compare/v4.3.4...v4.3.5) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://togithub.com/smarty-php/smarty/releases/tag/v4.3.4) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.3...v4.3.4) #### What's Changed - Fix strip_tags modifier for falsy input. by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/893](https://togithub.com/smarty-php/smarty/pull/893) - Fix use of negative numbers in math equations (4.3 port of [#903](https://togithub.com/smarty-php/smarty/issues/903)) by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/904](https://togithub.com/smarty-php/smarty/pull/904) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v4.3.2...v4.3.4 ### [`v4.3.3`](https://togithub.com/smarty-php/smarty/compare/v4.3.2...v4.3.3) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.2...v4.3.3) ### [`v4.3.2`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#432---2023-07-19) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.1...v4.3.2) ##### Fixed - `$smarty->muteUndefinedOrNullWarnings()` now also mutes PHP8 warnings for undefined properties ### [`v4.3.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#431---2023-03-28) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.3.0...v4.3.1) ##### Security - Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447. ##### Fixed - `$smarty->muteUndefinedOrNullWarnings()` now also mutes PHP7 notices for undefined array indexes [#736](https://togithub.com/smarty-php/smarty/issues/736) - `$smarty->muteUndefinedOrNullWarnings()` now treats undefined vars and array access of a null or false variables equivalent across all supported PHP versions - `$smarty->muteUndefinedOrNullWarnings()` now allows dereferencing of non-objects across all supported PHP versions [#831](https://togithub.com/smarty-php/smarty/issues/831) - PHP 8.1 deprecation warnings on null strings in modifiers [#834](https://togithub.com/smarty-php/smarty/pull/834) ### [`v4.3.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#430---2022-11-22) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.2.1...v4.3.0) ##### Added - PHP8.2 compatibility [#775](https://togithub.com/smarty-php/smarty/pull/775) ##### Changed - Include docs and demo in the releases [#799](https://togithub.com/smarty-php/smarty/issues/799) - Using PHP functions as modifiers now triggers a deprecation notice because we will drop support for this in the next major release [#813](https://togithub.com/smarty-php/smarty/issues/813) - Dropped remaining references to removed PHP-support in Smarty 4 from docs, lexer and security class. [#816](https://togithub.com/smarty-php/smarty/issues/816) - Support umask when writing (template) files and set dir permissions to 777 [#548](https://togithub.com/smarty-php/smarty/issues/548) [#819](https://togithub.com/smarty-php/smarty/issues/819) ##### Fixed - Output buffer is now cleaned for internal PHP errors as well, not just for Exceptions [#514](https://togithub.com/smarty-php/smarty/issues/514) - Fixed recursion and out of memory errors when caching in complicated template set-ups using inheritance and includes [#801](https://togithub.com/smarty-php/smarty/pull/801) - Fixed PHP8.1 deprecation errors in strip_tags - Fix Variable Usage in Exception message when unable to load subtemplate [#808](https://togithub.com/smarty-php/smarty/pull/808) - Fixed PHP8.1 deprecation notices for strftime [#672](https://togithub.com/smarty-php/smarty/issues/672) - Fixed PHP8.1 deprecation errors passing null to parameter in trim [#807](https://togithub.com/smarty-php/smarty/pull/807) - Adapt Smarty upper/lower functions to be codesafe (e.g. for Turkish locale) [#586](https://togithub.com/smarty-php/smarty/pull/586) - Bug fix for underscore and limited length in template name in custom resources [#581](https://togithub.com/smarty-php/smarty/pull/581) ### [`v4.2.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#421---2022-09-14) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.2.0...v4.2.1) ##### Security - Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://togithub.com/smarty-php/smarty/issues/454) ##### Fixed - Fixed PHP8.1 deprecation notices in modifiers (upper, explode, number_format and replace) [#755](https://togithub.com/smarty-php/smarty/pull/755) and [#788](https://togithub.com/smarty-php/smarty/pull/788) - Fixed PHP8.1 deprecation notices in capitalize modifier [#789](https://togithub.com/smarty-php/smarty/issues/789) - Fixed use of `rand()` without a parameter in math function [#794](https://togithub.com/smarty-php/smarty/issues/794) - Fixed unselected year/month/day not working in html_select_date [#395](https://togithub.com/smarty-php/smarty/issues/395) ### [`v4.2.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#420---2022-08-01) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.1.1...v4.2.0) ##### Fixed - Fixed problems with smarty_mb_str_replace [#549](https://togithub.com/smarty-php/smarty/issues/549) - Fixed second parameter of unescape modifier not working [#777](https://togithub.com/smarty-php/smarty/issues/777) ##### Changed - Updated HTML of the debug template [#599](https://togithub.com/smarty-php/smarty/pull/599) ### [`v4.1.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#411---2022-05-17) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.1.0...v4.1.1) ##### Security - Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221 ##### Fixed - Exclude docs and demo from export and composer [#751](https://togithub.com/smarty-php/smarty/pull/751) - PHP 8.1 deprecation notices in demo/plugins/cacheresource.pdo.php [#706](https://togithub.com/smarty-php/smarty/issues/706) - PHP 8.1 deprecation notices in truncate modifier [#699](https://togithub.com/smarty-php/smarty/issues/699) - Math equation `max(x, y)` didn't work anymore [#721](https://togithub.com/smarty-php/smarty/issues/721) - Fix PHP 8.1 deprecated warning when calling rtrim [#743](https://togithub.com/smarty-php/smarty/pull/743) - PHP 8.1: fix deprecation in escape modifier [#727](https://togithub.com/smarty-php/smarty/pull/727) ### [`v4.1.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#410---2022-02-06) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.4...v4.1.0) ##### Added - PHP8.1 compatibility [#713](https://togithub.com/smarty-php/smarty/pull/713) ### [`v4.0.4`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#404---2022-01-18) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.3...v4.0.4) ##### Fixed - Fixed illegal characters bug in math function security check [#702](https://togithub.com/smarty-php/smarty/issues/702) ### [`v4.0.3`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#403---2022-01-10) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.2...v4.0.3) ##### Security - Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408 ### [`v4.0.2`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#402---2022-01-10) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.1...v4.0.2) ##### Security - Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454 ### [`v4.0.1`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#401---2022-01-09) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v4.0.0...v4.0.1) ##### Security - Rewrote the mailto function to not use `eval` when encoding with javascript ### [`v4.0.0`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#400---2021-11-25) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.48...v4.0.0) ### [`v3.1.48`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.48) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.47...v3.1.48) ##### Security - Fixed Cross site scripting vulnerability in Javascript escaping. This addresses CVE-2023-28447. ##### Fixed - Output buffer is now cleaned for internal PHP errors as well, not just for Exceptions [#514](https://togithub.com/smarty-php/smarty/issues/514) ### [`v3.1.47`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.47) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.46...v3.1.47) If you use the {mailto} plugin in your templates, please check if you are escaping the address value explicitly like this `{mailto address=$htmladdress|escape}`. This could cause problems through double escaping. ##### Security - Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://togithub.com/smarty-php/smarty/issues/454) ##### Fixed - Fixed use of `rand()` without a parameter in math function [#794](https://togithub.com/smarty-php/smarty/issues/794) - Fixed unselected year/month/day not working in html_select_date [#395](https://togithub.com/smarty-php/smarty/issues/395) ### [`v3.1.46`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.46) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.45...v3.1.46) #### What's Changed - Fixed replace modifier by converting encoding if needed by [@AnrDaemon](https://togithub.com/AnrDaemon) in [https://github.com/smarty-php/smarty/pull/740](https://togithub.com/smarty-php/smarty/pull/740) - Fixed second param of unescape modifier by [@wisskid](https://togithub.com/wisskid) in [https://github.com/smarty-php/smarty/pull/779](https://togithub.com/smarty-php/smarty/pull/779) **Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.45...v3.1.46 ### [`v3.1.45`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.45) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.44...v3.1.45) ##### Security - Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221 ##### Fixed - Math equation `max(x, y)` didn't work anymore [#721](https://togithub.com/smarty-php/smarty/issues/721) ### [`v3.1.44`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.44) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.43...v3.1.44) #### What's Changed - Fixes illegal characters warning in math **Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.43...v3.1.44 ### [`v3.1.43`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.43) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.42...v3.1.43) Prevent evasion of the `static_classes` security policy. This addresses CVE-2021-21408 **Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.42...v3.1.43 ### [`v3.1.42`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.42) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.41...v3.1.42) Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454 **Full Changelog**: https://github.com/smarty-php/smarty/compare/v3.1.41...v3.1.42 ### [`v3.1.41`](https://togithub.com/smarty-php/smarty/releases/tag/v3.1.41) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.40...v3.1.41) Rewrote the mailto function to not use `eval` when encoding with javascript ### [`v3.1.40`](https://togithub.com/smarty-php/smarty/blob/HEAD/CHANGELOG.md#3140---2021-10-13) [Compare Source](https://togithub.com/smarty-php/smarty/compare/v3.1.39...v3.1.40) ##### Changed - modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used [https://github.com/smarty-php/smarty/pull/649](https://togithub.com/smarty-php/smarty/pull/649) ##### Security - More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov