Legacy Smarty Tags
In previous WHMCS versions, Smarty 3’s SmartyBC provided backwards compatibility for Smarty’s {php}
, {include_php}
, and {insert}
tags. To promote better security, we plan to move to Smarty 4, which is not compatible with SmartyBC, in the near future.
Eliminate Legacy Smarty Tag Use on Your Installation
Before upgrading to WHMCS 9.0, you must remove legacy Smarty tags from all of your customizations and disable the related Allow Smarty PHP Tags setting. This requires that you perform all of the following actions:
- Update all of the template files and email templates that display in the Smarty Compatibility report at Reports > Reports.
- Disable Allow Smarty PHP Tags in the Security tab at Configuration () > System Settings > General Settings.
- Verify that no Smarty PHP tag warnings display at Configuration () > System Health.
To do this, perform the following steps on WHMCS 8.7 or later:
- Go to Reports > Reports.
- Click Smarty Compatibility at the bottom of the page. If the system detects any legacy Smarty tags in your customizations, the report will list them:For more information, see Scanning for Legacy Tags below.
- For each item under Template Files, use your preferred method to edit each file to remove all legacy Smarty tags.
- For each item under Email Templates, click the template name to edit the email template in the editor at Configuration () > System Settings > Email Templates.For examples of removing the most common legacy Smarty tag uses, see Replace Legacy Smarty Tags.
- When you have finished editing each item in the report, click Rescan Now to ensure that there are no remaining legacy Smarty tags.
- When scanning no longer finds any legacy Smarty tags, go to the Security tab at Configuration () > System Settings > General Settings.
- Select Disabled for Allow Smarty PHP Tags.
- Click Save.
- Go to Configuration () > System Health to ensure that no legacy Smarty tag warnings display. If any warnings do display, repeat the steps above to ensure that you have removed all tags from your system.For more information, see Legacy Tag Warnings below.
Scanning for Legacy Tags
WHMCS 8.7 includes scanning capabilities, Admin Area warnings, and a report to help you find legacy tags in your customizations. When you view the Smarty Compatibility report at Reports > Reports, the system will scan your installation for legacy Smarty tags.
- The system will schedule this scan in the job queue for five minutes after the upgrade finishes.
- If that scan detects legacy tags on your installation, it will queue the job every 24 hours for as long as the tags remain.
The scan searches for {php}
, {include_php}
, and {insert}
tags in the following locations within your WHMCS installation’s root directory:
- All files in the following directories:
/includes/hooks
/modules
/templates
/admin/templates
- All email template files.
- All trusted directories in the installation’s custom Smarty security policy.
The system will cache the scan’s results for 24 hours and will not rerun the scan while cached data is present. You can manually rerun the scan at any time by clicking Rescan Now.
The Smarty Compatibility Report
You can view the full results of the scan by going to Reports > Reports and clicking Smarty Compatibility. It includes the filename and filepath for each file, the line number that contains the tag, and, for email templates, the template type.
Legacy Tag Warnings
In WHMCS 8.7 and later, the system checks your WHMCS installation for the following conditions:
- Allow Smarty PHP Tags is enabled in the Security tab at Configuration () > System Settings > General Settings.This setting does not display in WHMCS 8.7 and later for new installations.
- The Smarty Compatibility scan detects tags on your system.
If either of these conditions are present, a warning will display at Configuration () > System Health and at the top of the Admin Area.
Last modified: November 19, 2024