Merge pull request #1371 from drumm/CRM-12930-smarty-safe-mode

CRM-12930 Always use Smarty security for string templates

CRM/Core/Smarty.php

@@ -186,7 +186,15 @@ class CRM_Core_Smarty extends Smarty {
    * @param boolean $display
    */
   function fetch($resource_name, $cache_id = NULL, $compile_id = NULL, $display = FALSE) {
-    return parent::fetch($resource_name, $cache_id, $compile_id, $display);
+    if (preg_match( '/^(\s+)?string:/', $resource_name)) {
+      $old_security = $this->security;
+      $this->security = TRUE;
+    }
+    $output = parent::fetch($resource_name, $cache_id, $compile_id, $display);
+    if (isset($old_security)) {
+      $this->security = $old_security;
+    }
+    return $output;
   }
 
   function appendValue($name, $value) {

CRM/Mailing/BAO/Mailing.php

@@ -1187,9 +1187,7 @@ ORDER BY   civicrm_email.is_bulkmail DESC
       )) {
       $textBody = join('', $text);
       if ($useSmarty) {
-        $smarty->security = TRUE;
-        $textBody         = $smarty->fetch("string:$textBody");
-        $smarty->security = FALSE;
+        $textBody = $smarty->fetch("string:$textBody");
       }
       $mailParams['text'] = $textBody;
     }
@@ -1199,9 +1197,7 @@ ORDER BY   civicrm_email.is_bulkmail DESC
         ))) {
       $htmlBody = join('', $html);
       if ($useSmarty) {
-        $smarty->security = TRUE;
-        $htmlBody         = $smarty->fetch("string:$htmlBody");
-        $smarty->security = FALSE;
+        $htmlBody = $smarty->fetch("string:$htmlBody");
       }
       $mailParams['html'] = $htmlBody;
     }