Smarty 3.1.12 has been released.

3.1.12 has minor bug fixes and improvements. Smarty also received a security fix regarding the escapement of Smarty error messages. ie. an unrealistic but testable case where you call $smarty->display($_GET['id']); and the GET value is passed directly to the error message. To resolve any probable concern, error messages are now escaped.

For details please read the Smarty 3.1.12 Change Log.

bundled-libs/Smarty/libs/sysplugins/smarty_internal_templatecompilerbase.php

@@ -215,6 +215,8 @@ abstract class Smarty_Internal_TemplateCompilerBase {
         } else {
             $code = $template_header . $template->createTemplateCodeFrame($_compiled_code) . $merged_code;
         }
+        // unset content because template inheritance could have replace source with parent code
+        unset ($template->source->content);
         return $code;
     }
 
@@ -592,8 +594,7 @@ abstract class Smarty_Internal_TemplateCompilerBase {
             if ((!($this->template->source->recompiled) || $this->forceNocache) && $this->template->caching && !$this->suppressNocacheProcessing &&
                     ($this->nocache || $this->tag_nocache || $this->forceNocache == 2)) {
                 $this->template->has_nocache_code = true;
-                $_output = str_replace("'", "\'", $content);
-                $_output = str_replace('\\\\', '\\\\\\\\', $_output);
+                $_output = addcslashes($content,'\'\\');
                 $_output = str_replace("^#^", "'", $_output);
                 $_output = "<?php echo '/*%%SmartyNocache:{$this->nocache_hash}%%*/" . $_output . "/*/%%SmartyNocache:{$this->nocache_hash}%%*/';?>\n";
                 // make sure we include modifer plugins for nocache code