Securing Smarty -> any way of getting all assigned variables?

Question

I've created an extra layer where users can use own Smarty code in a sort of HTML template module, but I need to be sure it's save.

So far I've disabled use of {php}-tags and only {$smarty.now} is accessible. I'm wondering if there is a way, because of the existence of Smarty in the template, to get all assigned variables to the template? If so, how is a list of all assigned variables requested so I can develop a check for that and exclude it from being parsed (means: left out the tpl-source once submitted by the user).

Any help or contributions which I'm overlooking for 'securing'/limiting Smarty-access is greatly appreciated.

Answer 1

If I understand you correctly, what you are looking for is $smarty->getTemplateVars(); This will give you an array with the names/values of the assigned template variables.

Quoting from the API documentation:

Name

getTemplateVars() — returns assigned variable value(s)

Description

array getTemplateVars(string varname);

If no parameter is given, an array of all assigned variables are returned.

Example 14.31. getTemplateVars

<?php
// get assigned template var 'foo'
$myVar = $smarty->getTemplateVars('foo');

// get all assigned template vars
$all_tpl_vars = $smarty->getTemplateVars();

// take a look at them
print_r($all_tpl_vars);
?>

Answer 2

First of all it is a wrong approach to take something way too powerful and limiting it in order to secure it. Famously Java is failing on that many years on their browser plugin. Instead, if you want to have really secure solution I would suggest writing your own tiny templating engine that only will have functionality you need to provide to your users. In that case there will be no way for exploitation for bad guys.