Eliminating Legacy Smarty Tags
In previous versions of WHMCS, Smarty 3's SmartyBC provided backwards compatibility for Smarty's {php}, {include_php}, and {insert} tags, allowing you to add custom PHP logic to your custom themes and templates. To promote better security in future versions, we plan to move to Smarty 4, which is not compatible with SmartyBC. WHMCS 6.0 deprecated these legacy tags, and we plan to remove that support entirely in WHMCS 9.0. This requires action on your part if your customizations include these tags.
To ensure compatibility in WHMCS 9.0 and later, you must eliminate these tags in your customizations. Using legacy Smarty tags represents a security risk, so we recommend removing them as soon as possible.
Contents
How Can I Find Legacy Tags On My System?
WHMCS 8.7 includes scanning capabilities, Admin Area warnings, and a report to help you find legacy tags in your customizations. Use them to find the locations to update so that you can eliminate them in all of your customizations.
Scanning for Legacy Tags
In WHMCS 8.7 and later, when you view the Smarty Compatibility report at Reports > Reports, the system will scan your installation for {php}, {include_php}, and {insert} tags.
When you upgrade to WHMCS 8.7 from a previous version, the system will schedule this scan in the job queue for five minutes after the upgrade finishes. If that scan detects legacy tags on your installation, it will queue the job every 24 hours for as long as the tags remain.
The scan searches for {php}, {include_php}, and {insert} tags in the following locations within your WHMCS installation's root directory:
- All files in the following directories:
- /includes/hooks
- /modules
- /templates
- /admin/templates
- All email template files.
- All trusted directories in the installation's custom Smarty security policy.
The system will cache the scan's results for 24 hours and will not re-run the scan while cached data is present. You can manually re-run the scan at any time by clicking Rescan Now.
The Smarty Compatibility Report
You can view the full results of the scan by going to Reports > Reports and clicking Smarty Compatibility. It includes the filename and filepath for each file, the line number that contains the tag, and, for email templates, the template type.
For a full description of the report and the information that it provides, see Reports.
Legacy Tag Warnings
In WHMCS 8.7 and later, the system checks your WHMCS installation for the following conditions:
- Allow Smarty PHP Tags is enabled in the Security tab at Configuration () > System Settings > General Settings.
- The Smarty Compatibility scan detects tags on your system.
If either of these conditions are present, a warning will display at Configuration () > System Health and at the top of the Admin Area.
Eliminating Legacy Tags
To eliminate legacy Smarty tags from your system and remove the associated warnings, you will need to:
- Update all of the template files and email templates that display in the Smarty Compatibility report at Reports > Reports.
- Disable Allow Smarty PHP Tags in the Security tab at Configuration () > System Settings > General Settings.
- Verify that no Smarty PHP tag warnings display at Configuration () > System Health.
For detailed steps to complete this process, see Eliminating Legacy Smarty Tags in WHMCS 8.7+.
Allow Smarty PHP Tags
In WHMCS 8.7 and later, the Allow Smarty PHP Tags setting in the Security tab at Configuration () > System Settings > General Settings will not automatically display for new installations.