Just surfing around and notices Smarty 2.6.9 came out March 31, 2005. and it says.
[31-March-2005] This is a patch release for those using the security features of Smarty. Variable function calls such as $foo() in {if} statements and {math} equations allowed PHP function execution from within a template, even with security enabled. Variable function calls have been disabled completely. If you are using security features, this upgrade is highly recommended.
Then i realized xcart 4.0.13 is using 2.6.3 from June 16, 2004.
xcart 3.5.14 is using 2.5.0 from April 11, 2003.
obviously there are some security issues and bugs that made smarty release new versions.
But why hasn't xcart upgraded to them??
discuss
