CRM-12930 Always use Smarty security for string templates

diff --git a/CRM/Core/Smarty.php b/CRM/Core/Smarty.php
index 43aab01c20eef5d721fa38473d6d86789d3474c7..3104453152b65bccd7f1c8da0089d4835d69eee1 100644 (file)
--- a/CRM/Core/Smarty.php
+++ b/CRM/Core/Smarty.php
@@ -186,7 +186,15 @@ class CRM_Core_Smarty extends Smarty {
    * @param boolean $display
    */
   function fetch($resource_name, $cache_id = NULL, $compile_id = NULL, $display = FALSE) {
-    return parent::fetch($resource_name, $cache_id, $compile_id, $display);
+    if (preg_match( '/^(\s+)?string:/', $resource_name)) {
+      $old_security = $this->security;
+      $this->security = TRUE;
+    }
+    $output = parent::fetch($resource_name, $cache_id, $compile_id, $display);
+    if (isset($old_security)) {
+      $this->security = $old_security;
+    }
+    return $output;
   }
 
   function appendValue($name, $value) {

diff --git a/CRM/Mailing/BAO/Mailing.php b/CRM/Mailing/BAO/Mailing.php
index ee75e2aff585b1caa4c22139a6355f7418e31bd3..4b8cda012f7e241ce06228377a2c001e7a28989b 100644 (file)
--- a/CRM/Mailing/BAO/Mailing.php
+++ b/CRM/Mailing/BAO/Mailing.php
@@ -1187,9 +1187,7 @@ ORDER BY   civicrm_email.is_bulkmail DESC
       )) {
       $textBody = join('', $text);
       if ($useSmarty) {
-        $smarty->security = TRUE;
-        $textBody         = $smarty->fetch("string:$textBody");
-        $smarty->security = FALSE;
+        $textBody = $smarty->fetch("string:$textBody");
       }
       $mailParams['text'] = $textBody;
     }
@@ -1199,9 +1197,7 @@ ORDER BY   civicrm_email.is_bulkmail DESC
         ))) {
       $htmlBody = join('', $html);
       if ($useSmarty) {
-        $smarty->security = TRUE;
-        $htmlBody         = $smarty->fetch("string:$htmlBody");
-        $smarty->security = FALSE;
+        $htmlBody = $smarty->fetch("string:$htmlBody");
       }
       $mailParams['html'] = $htmlBody;
     }