Introduction

Starting with vtenext version 26.01, all variables outputted by Smarty templates (for example {$VARIABLE} ) by default have all applicable characters are converted to html &...; notation. For instance, the string "nice & 'smooth' à > è" is converted to "nice & &039;smooth&039; à > è"

The conversion is done with the htmlentities function, without double encoding existing entities.

The reason of this change is to reduce as much as possible exposure to XSS attacks, since it was extremely difficult to track every possible variable in templates and ensure it was properly escaped.

There are of course some exceptions on the escaping and some edge cases that should be understood. The next chapter presents the rules to follow to write simple and secure code.

Skill - Update customizations

Introduction

Escaping rules

Cheat sheet

Include custom php/js/css files

Javascript overrides and extensions

Standard PHP replacement

Inclusion of other files

Custom Uitypes

Smarty Custom Templates

Popup

Presave

Advanced query

Page Header

Translations

Fields Visibility

Home Blocks

Custom Buttons

Transitions Manager

PdfMaker Custom Functions

Custom Folders and Reports

Turbolift Counter

Process log

Import Processes with a script

SDK

What's new in PHP 8.3+

Mailscanner (Mail Converter)

Record conversion

CSV Import

VteSync (synchronizations)

ListView extendability

Webforms

Code Review Skill

Introduction