Search Engine: Elastic

Article ID: 116626, created on Aug 2, 2013, last review on Jul 14, 2018

  • Applies to:
  • Business Automation 5.5
  • Business Automation 5.4


By default smarty in template store have insecure configuration. This allow to call any php code from smarty template.


After upgrade to PBA 5.5, edit the configuration file templatestore/conf/ setting $enabledSmartySecurity = true. This will put restrictions on using php functions in smarty templates.
For clean installations no action is required.

Notes on  limitations

1. The functions 'sizeof', 'strlen', 'nl2br', 'count', 'isset' can be used in smarty templates in the same way as in php code: {assign var=item_length value=strlen($item)}
2. The functions 'escape', 'count' are allowed as modifiers:  {if $ListLanguage|@count > 2}
3. All smarty modifiers are allowed (
4. Trusted directory for custom plug-ins: templatestore/custom_plugins
5. The usage of php tags in smarty template is forbidden. If php code is essential the custom plug-ins must be used.
6. When upgrading to PBA 5.5, a customer store will not work in case it has been customized using php code; specifically, the {php} tag. Existing templates, customized using php code, require editing - php code fragments must be transformed into custom plug-ins and then called from the template. For more details refer to

801221f8cd76fba7300d1e6817c8e08b caea8340e2d186a540518d08602aa065 198398b282069eaf2d94a6af87dcb3ff 92711db0799e8aefe8e51f12dace0496 210d017ddc3a076d22f0f865b1cf0730 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF