Skip to content

Preview/Smartylint #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andrescastellanos-coderabbit wants to merge 1 commit into
base: main
Choose a base branch
from
+260 −0
Open

Preview/Smartylint #95

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions smartylint/checkout.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{include file="header.tpl" page_title="Checkout"}

<section class="checkout">
<h1>Review your order</h1>

{if $cart.items}
<table class="cart-summary">
<thead>
<tr><th>Item</th><th>Qty</th><th>Price</th></tr>
</thead>
<tbody>
{foreach $cart.items as $line}
<tr>
<td>{$line.name}</td>
<td>{$line.quantity}</td>
<td>{$line.subtotal|string_format:"%.2f"}</td>
</tr>
Comment on lines +14 to +17
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "checkout.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 103

🏁 Script executed:

cat -n ./smartylint/checkout.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 2589

🏁 Script executed:

# Check for Smarty configuration or security settings
find . -name "*.php" -o -name "*.conf*" -o -name "*.config*" | head -20 | xargs grep -l "smarty\|escape\|auto_escape" 2>/dev/null || true

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check if there's any PHP configuration that might set auto-escaping
find . -type f \( -name "*.php" -o -name "*.conf" -o -name "*.config" \) -exec grep -l "escape" {} \; 2>/dev/null | head -10

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Look for PHP files that might initialize Smarty or this template
find . -name "*.php" -type f | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check the directory structure
ls -la ./smartylint/

Repository: coderabbitai/coderabbit-pr-review

Length of output: 570

Add HTML escaping to cart items, buyer fields, and coupon value.

Lines 14-17, 25-27, 38, and 48 render runtime data without escaping. In HTML text contexts (lines 14-17, 38), use {$variable|escape:'html'}. In HTML attribute contexts (lines 25-27, 48), use {$variable|escape:'quotes'} to prevent attribute injection and XSS attacks.

Also applies to: 25-27, 38-38, 48-48

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/checkout.tpl` around lines 14 - 17, The template renders unescaped
runtime data — update the cart item and buyer/coupon renderings to use Smarty
escaping: apply {$line.name|escape:'html'} and {$line.quantity|escape:'html'}
(and {$line.subtotal|escape:'html'} after formatting) for HTML text contexts,
and use {$buyerField|escape:'quotes'} and {$couponValue|escape:'quotes'} for
values placed in attributes; ensure you add the |escape modifier to each
occurrence referenced (e.g., {$line.name}, {$line.quantity}, {$line.subtotal},
buyer field variables, and coupon value) so text contexts use 'html' escaping
and attribute contexts use 'quotes' escaping.

{/foreach}
</tbody>
</table>

<form action="/checkout/place-order" method="post">
<fieldset>
<legend>Shipping</legend>
<label>Full name <input type="text" name="name" value="{$buyer.name}"></label>
<label>Address <input type="text" name="address" value="{$buyer.address}"></label>
<label>City <input type="text" name="city" value="{$buyer.city}"></label>

<label>
Method
<select name="shipping_method">
<option value="standard">Standard</option>
<option value="express">Express</option>
</select>
</label>

{if $shipping_method == "express"}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Close the checkout shipping condition block

The {if $shipping_method == "express"} block opened here is never closed, so Smarty cannot correctly match block delimiters when compiling this template. In practice, rendering the checkout page will fail with an unclosed-tag parse error instead of showing the form.

Useful? React with 👍 / 👎.

<p class="note">Express delivery adds {$express_fee|string_format:"%.2f"}.</p>

{if $promo_code == "WELCOME10"}
<p class="note">Promo applied: 10% off.</p>
{/if}
</fieldset>
Comment on lines +37 to +43
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Close the outer shipping {if} block.

Line 37 opens an if block that is never closed. This is a template parse error and can break rendering of the form section.

🔧 Proposed fix 
 {if $shipping_method == "express"}
     <p class="note">Express delivery adds {$express_fee|string_format:"%.2f"}.</p>

 {if $promo_code == "WELCOME10"}
     <p class="note">Promo applied: 10% off.</p>
 {/if}
+{/if}
 </fieldset>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{if $shipping_method == "express"}
<p class="note">Express delivery adds {$express_fee|string_format:"%.2f"}.</p>
{if $promo_code == "WELCOME10"}
<p class="note">Promo applied: 10% off.</p>
{/if}
</fieldset>
{if $shipping_method == "express"}
<p class="note">Express delivery adds {$express_fee|string_format:"%.2f"}.</p>
{if $promo_code == "WELCOME10"}
<p class="note">Promo applied: 10% off.</p>
{/if}
{/if}
</fieldset>
🧰 Tools
🪛 smarty-lint (0.3.3)

[warn] 37-37: Use "===" instead of "==".

(eqeqeq)

[warn] 40-40: Use "===" instead of "==".

(eqeqeq)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/checkout.tpl` around lines 37 - 43, The template opens an if block
with `{if $shipping_method == "express"}` but never closes it, causing a parse
error; close that outer conditional by adding a matching `{/if}` after the
express-related content (before the existing `{if $promo_code == "WELCOME10"}`
block or before `</fieldset>` as appropriate) so the `{if $shipping_method ==
"express"}` block is properly terminated and the nested promo `{if $promo_code
== "WELCOME10"}` remains valid.


<fieldset>
<legend>Payment</legend>
<label>Card number <input type="text" name="card"></label>
<label>Coupon <input type="text" name="coupon" value="{$applied_coupon}"></label>
</fieldset>

<button type="submit">Place order</button>
</form>
Comment on lines +22 to +52
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find and read the actual checkout.tpl file
find . -name "checkout.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 103

🏁 Script executed:

# Search for CSRF-related patterns in the codebase
rg -i "csrf" --type-list | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 467

🏁 Script executed:

# Look for token-related patterns in templates and code
rg -i "token|_token" -t smarty -t php -t js | head -30

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check the codebase structure to understand the framework
ls -la

Repository: coderabbitai/coderabbit-pr-review

Length of output: 356

🏁 Script executed:

# Read the actual checkout.tpl file
cat -n ./smartylint/checkout.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 2589

🏁 Script executed:

# Search for CSRF patterns in the codebase
rg -i "csrf" .

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Search for token patterns in the codebase
rg -i "_token|csrf_token|token" .

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check for middleware or security-related files
find . -name "*.php" -o -name "*.py" -o -name "*.js" | grep -i "middleware\|config\|security"

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Look for form helpers or template functions that might add CSRF tokens
rg -i "form|csrf" --type smarty .

Repository: coderabbitai/coderabbit-pr-review

Length of output: 950

🏁 Script executed:

# Check all template files for CSRF patterns
find ./smartylint -name "*.tpl" -exec grep -l "csrf\|token\|_token" {} \;

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check if there are any PHP, Python, or configuration files outside smartylint
find . -type f \( -name "*.php" -o -name "*.py" -o -name "*.js" -o -name "*.conf" -o -name "*.config" \) ! -path "./.git/*"

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Specifically check the product_detail.tpl form for comparison
cat -n ./smartylint/product_detail.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 2132

Add CSRF token to the checkout form or verify CSRF middleware protection.

The POST form submitting sensitive payment and order data (lines 22-52) contains no CSRF token. Either include a hidden CSRF token field in the form, or confirm that request-level CSRF validation middleware is enforced for the /checkout/place-order endpoint.

🧰 Tools
🪛 smarty-lint (0.3.3)

[warn] 37-37: Use "===" instead of "==".

(eqeqeq)

[warn] 40-40: Use "===" instead of "==".

(eqeqeq)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/checkout.tpl` around lines 22 - 52, The checkout form that posts
to "/checkout/place-order" is missing a CSRF token; add a hidden input for the
CSRF token (e.g., <input type="hidden" name="csrf_token" ...>) into the <form
action="/checkout/place-order" method="post"> in the template (checkout.tpl) and
ensure the server-side handler that processes /checkout/place-order validates
that token, or alternatively confirm global/request-level CSRF middleware is
enabled for that route so submissions from the Card/Payment fields are
protected.

{else}
<p>Your cart is empty. <a href="/products">Browse products</a>.</p>
{/if}
</section>

{include file="footer.tpl"}
34 changes: 34 additions & 0 deletions smartylint/email_order.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{* order confirmation email — plain text + html sections *}

Subject: Your Demoapp order #{$order.id} is confirmed

Hi {$buyer.name},

Thanks for your order! Here's a summary:

Order #{$order.id}
Placed: {$order.placed_at}
Total: {$order.total|string_format:"%.2f"}

Items:
{foreach $order.items as $line}
- {$line.name} x {$line.quantity} = {$line.subtotal|string_format:"%.2f"}
{/foreach}

Shipping to:
{$buyer.address}
{$buyer.city}, {$buyer.region} {$buyer.postal_code}

{php}
$tracking = isset($order['tracking_number']) ? $order['tracking_number'] : 'pending';
echo "Tracking: " . $tracking . "\n";
{/php}
Comment on lines +22 to +25
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "email_order.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 106

🏁 Script executed:

# Check if the file exists and read it
if [ -f "./smartylint/email_order.tpl" ]; then
  cat -n ./smartylint/email_order.tpl
else
  echo "File not found at ./smartylint/email_order.tpl"
  fd "email_order" --type f
fi

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1110

🌐 Web query:

Smarty {php} block deprecated

💡 Result:

In Smarty, the {php} tag (embedded PHP blocks) is deprecated. Authoritative evidence: - Smarty’s own documentation page for {php} states: “IMPORTANT NOTICE: {php} tags are deprecated from Smarty, and should not be used.” It also notes that as of Smarty 3.1 the tags are only available from SmartyBC. - Smarty’s official upgrade guide for Smarty 4 says support for {php} and {include_php} tags and embedded PHP has been completely dropped; the guide instructs rewriting by moving logic to PHP files or creating a plugin. What to do instead: - Move PHP logic out of templates into PHP scripts/controllers/services. - If you need to call functionality from templates, expose it via Smarty plugins (e.g., custom function/modifier or extension) rather than {php} blocks.

Citations:

🌐 Web query:

Smarty template {assign} syntax variable escaping

💡 Result:

The {assign} function in Smarty templates does not have built-in syntax or attributes for directly escaping variables. The official Smarty 3 and 4 documentation for {assign} lists attributes like var, value, scope, and the nocache flag, but no escape-related options. Escaping is handled separately when outputting variables using the |escape modifier (e.g., {$name|escape:'html'}) or globally via $smarty->escape_html = true, which applies htmlspecialchars to all variable outputs automatically (can be bypassed with nofilter on specific variables). Variables assigned via {assign} are treated like any others for escaping purposes—no special escaping occurs during assignment itself. For security, always escape user-controlled data on output, as recommended in best practices.

Citations:

Remove deprecated {php} block and move logic to Smarty-safe constructs.

Line 22-25 uses a deprecated {php} block, which is unsupported in Smarty 4 and poses security and maintainability risks. The {php} tag has been completely removed from Smarty 4; move the logic to PHP controllers or expose it via Smarty plugins instead.

Proposed fix 
-{php}
-    $tracking = isset($order['tracking_number']) ? $order['tracking_number'] : 'pending';
-    echo "Tracking: " . $tracking . "\n";
-{/php}
+{assign var="tracking" value=$order.tracking_number|default:"pending"}
+Tracking: {$tracking|escape}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{php}
$tracking = isset($order['tracking_number']) ? $order['tracking_number'] : 'pending';
echo "Tracking: " . $tracking . "\n";
{/php}
{assign var="tracking" value=$order.tracking_number|default:"pending"}
Tracking: {$tracking|escape}
🧰 Tools
🪛 smarty-lint (0.3.3)

[error] 25-25: Left-operand missing in operation.

(invalid-arithmetic-operation)

[warn] 25-25: Don't use unquoted strings. Always use single- or double-quoted strings to prevent misinterpretation.

(unquoted-string)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/email_order.tpl` around lines 22 - 25, Remove the deprecated {php}
block and move the logic to Smarty-safe constructs: either assign the tracking
value from PHP controller (e.g., compute $tracking =
isset($order['tracking_number']) ? $order['tracking_number'] : 'pending' and
$smarty->assign('tracking', $tracking)) or use Smarty template features directly
(use {$order.tracking_number|default:'pending'} to render the value). Replace
the {php} block that references $order['tracking_number'] and $tracking with a
plain template line that outputs the tracking label and the Smarty variable
(e.g., "Tracking: " followed by the Smarty expression) so the template is Smarty
4 compatible and secure.


Track your order:
https://demoapp.example.com/orders/{$order.id}/track

Questions? Reply to this email or visit https://demoapp.example.com/help.

— The Demoapp team

{* *}
35 changes: 35 additions & 0 deletions smartylint/footer.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
</main>

<footer class="site-footer">
{* *}

{if true}
<div class="footer-links">
<a href="/about">About</a>
<a href="/help">Help</a>
<a href="/privacy">Privacy</a>
</div>
{/if}

{if $show_newsletter}
{/if}

{foreach $social_links as $link}
{/foreach}

<div class="copyright">
<p>&copy; {$current_year} Demoapp.</p>
<p>Build {$build_id|@default:"dev"}</p>
</div>

{if $debug == "true"}
<pre class="debug">
{$debug_payload}
</pre>
Comment on lines +25 to +28
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -i footer

Repository: coderabbitai/coderabbit-pr-review

Length of output: 99

🏁 Script executed:

find . -name "footer.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 101

🏁 Script executed:

cat -n smartylint/footer.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1086

🏁 Script executed:

rg "escape" smartylint/ -A 2 -B 2

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

rg "\|escape" . -t tpl --max-count=20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 105

🏁 Script executed:

grep -r "debug_payload" smartylint/ 2>/dev/null || echo "No references found"

Repository: coderabbitai/coderabbit-pr-review

Length of output: 132

🏁 Script executed:

rg "debug" smartylint/ --max-count=20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 238

🏁 Script executed:

rg "\|" smartylint/ --max-count=30

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1042

🏁 Script executed:

fd . smartylint -name "*.tpl" -o -name "*.php" -o -name "*.js" | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 308

🏁 Script executed:

rg "debug_payload" . --max-count=20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 134

🏁 Script executed:

fd . smartylint -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 248

🏁 Script executed:

ls -la smartylint/

Repository: coderabbitai/coderabbit-pr-review

Length of output: 570

🏁 Script executed:

web_search
Smarty template escape filter syntax

Repository: coderabbitai/coderabbit-pr-review

Length of output: 173

🌐 Web query:

Smarty template escape filter syntax html

💡 Result:

The syntax for the Smarty template escape filter for HTML is {$variable|escape:'html'} or {$variable|escape:"html"}. By default, {$variable|escape} uses HTML escaping. This escapes special characters like & " ' < > using htmlspecialchars with ENT_QUOTES. Examples: - {$articleTitle|escape:'html'} outputs: 'Stiff Opposition Expected to Casketless Funeral Plan' - Other options: 'htmlall' (all entities), 'url', 'quotes', etc. For global HTML escaping, set $smarty->escape_html = true; in PHP (requires template recompilation). To disable for a variable: {$variable nofilter}.

Citations:

Harden debug branch condition and escape payload.

Lines 25–28 render {$debug_payload} without escaping, creating a potential XSS vulnerability. The loose comparison on line 25 should also be simplified.

🔧 Proposed fix 
-{if $debug == "true"}
+{if $debug}
     <pre class="debug">
-        {$debug_payload}
+        {$debug_payload|escape}
     </pre>
 {/if}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{if $debug == "true"}
<pre class="debug">
{$debug_payload}
</pre>
{if $debug}
<pre class="debug">
{$debug_payload|escape}
</pre>
{/if}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/footer.tpl` around lines 25 - 28, Change the loose string
comparison {if $debug == "true"} to a boolean check {if $debug} and escape the
payload when rendering by replacing {$debug_payload} with an escaped version
like {$debug_payload|escape:'html':'UTF-8'} (or {$debug_payload|escape:'html'}
if UTF-8 is implicit) inside the <pre class="debug">; this hardens the condition
and prevents XSS by ensuring the debug payload is HTML-escaped.

{/if}
</footer>

{include file=tracking.tpl}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, find and examine the file
find . -name "footer.tpl" -o -name "*.tpl" | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 242

🏁 Script executed:

# Check if the file exists and read it
cat smartylint/footer.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 841

🏁 Script executed:

# Search for all include statements in the codebase to check consistency
rg '\{include' -A 1 -B 1

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1004

🏁 Script executed:

# Look for any smarty linting configuration or documentation
find . -type f \( -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.cfg" -o -name "*.conf" -o -name "README*" -o -name "LINT*" \) | head -30

Repository: coderabbitai/coderabbit-pr-review

Length of output: 89

Quote include filename for consistency.

Line 32 uses an unquoted include filename, while line 33 in the same file uses quotes. Align with the predominant pattern in the codebase where most include filenames are quoted.

🔧 Proposed fix 
-{include file=tracking.tpl}
+{include file="tracking.tpl"}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{include file=tracking.tpl}
{include file="tracking.tpl"}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/footer.tpl` at line 32, The include statement in footer.tpl uses
an unquoted filename ({include file=tracking.tpl}); update it to use quoted
filename syntax to match the codebase pattern by changing the include to use
single (or consistent) quotes around tracking.tpl (e.g. {include
file='tracking.tpl'}) so it aligns with the other includes in this template.

{include file="scripts.tpl"}
</body>
</html>
38 changes: 38 additions & 0 deletions smartylint/header.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{* *}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>{$page_title} - Demoapp Store</title>
<meta name="description" content="{$meta_description}">
Comment on lines +6 to +7
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

fd -type f -name "header.tpl" | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 248

🏁 Script executed:

find . -name "header.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 101

🏁 Script executed:

cat -n ./smartylint/header.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1334

🏁 Script executed:

rg -i "smarty|template" ./smartylint/header.tpl -B 5 -A 5 | head -30

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

find . -name "*.tpl" -type f | head -10

Repository: coderabbitai/coderabbit-pr-review

Length of output: 242

Escape dynamic values in HTML contexts using Smarty escape modifier.

Lines 6-7, 14, 17, 22, and 34 output runtime data without escaping, creating XSS vulnerabilities in both HTML text and attribute contexts. Use {$variable|escape:'htmlall'} to safely render user-controlled or dynamic data. For example:

Escaping patterns 
{$page_title|escape:'htmlall'} - Demoapp Store
content="{$meta_description|escape:'htmlall'}"
class="page-{$page_class|escape:'htmlall'}"

Also applies to: 12-12

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/header.tpl` around lines 6 - 7, Template outputs are rendering
unescaped dynamic variables (e.g., {$page_title}, {$meta_description},
{$page_class} and other runtime variables in this template) which opens XSS
risks; update every occurrence that injects user-controlled or dynamic data into
HTML text or attributes to use Smarty's escape modifier (for example use
|escape:'htmlall') so values are correctly escaped in HTML contexts, and apply
this consistently to all instances mentioned (lines showing {$page_title},
{$meta_description}, {$page_class} and the other dynamic variables in the file).


{include file=meta.tpl}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

git ls-files smartylint/header.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 99

🏁 Script executed:

head -20 smartylint/header.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 599

🏁 Script executed:

rg -n "include" smartylint/header.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 163

🏁 Script executed:

rg "{include" smartylint/ -A 1 -B 1

Repository: coderabbitai/coderabbit-pr-review

Length of output: 161

🏁 Script executed:

find smartylint -name "*.tpl" -type f -exec cat {} \; | grep -n "include"

Repository: coderabbitai/coderabbit-pr-review

Length of output: 499

🏁 Script executed:

rg "include file" smartylint --no-regex

Repository: coderabbitai/coderabbit-pr-review

Length of output: 514

🏁 Script executed:

web_search
Smarty template include file parameter syntax quotes requirement

Repository: coderabbitai/coderabbit-pr-review

Length of output: 173

🌐 Web query:

Smarty template engine include file parameter quotes syntax parser rules

💡 Result:

In Smarty template engine, the {include} tag requires a mandatory 'file' attribute specifying the template path. The syntax for quotes around the file parameter follows Smarty's string interpolation rules: - Use double quotes "file="$variable.tpl"" for variable substitution: variables like $module are expanded by the parser (e.g., {include file="$module.tpl"} resolves if $module='contacts'). - Use single quotes 'file='$variable.tpl'' for literal strings: no variable substitution occurs (e.g., {include file='$module.tpl'} treats it literally as '$module.tpl', causing failure if expecting a resolved path). - Short form without 'file=' is allowed for relative paths: {include "page_header.tpl"} or {include 'page_header.tpl'}. - For absolute paths or special resources, prefix with 'file:': {include file="file:/path/to/template.tpl"} (required for Windows paths like 'file:C:/path/template.tpl'). The parser processes double-quoted strings first for variable replacement before resolving the file resource. Single quotes preserve the string literally. Complex expressions (e.g., containing dots like $foo.bar) require backticks: {include file="$foo.bar.tpl"}. This behavior ensures predictable template inclusion while preventing unintended variable expansion in paths.

Citations:

Add quotes to the include file parameter for proper Smarty syntax.

Line 9 uses an unquoted file value that creates parser ambiguity. The same file demonstrates the correct syntax on line 10 with quoted filenames.

🔧 Proposed fix 
-{include file=meta.tpl}
+{include file="meta.tpl"}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{include file=meta.tpl}
{include file="meta.tpl"}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/header.tpl` at line 9, The Smarty include on header.tpl uses an
unquoted parameter ({include file=meta.tpl}) which causes parser ambiguity;
update the include invocation in header.tpl to use quoted filename syntax (e.g.,
change the include call referencing meta.tpl to use "meta.tpl") so it matches
the correct usage elsewhere in the template and avoids parsing errors.

{include file="styles.tpl" theme=$current_theme}

<link rel="canonical" href="https://demoapp.example.com/{$canonical_path}>
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Terminate the canonical link href quote

The href attribute starts with a double quote but never closes it, so browsers can treat following markup as part of the same attribute value and misparse the document head/body structure. This can break metadata and page layout parsing on product pages that include this header.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix broken canonical link attribute quoting.

Line 12 is missing the closing quote for href, which breaks HTML structure and can corrupt downstream DOM parsing.

🔧 Proposed fix 
-<link rel="canonical" href="https://demoapp.example.com/{$canonical_path}>
+<link rel="canonical" href="https://demoapp.example.com/{$canonical_path|escape:'url'}">
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<link rel="canonical" href="https://demoapp.example.com/{$canonical_path}>
<link rel="canonical" href="https://demoapp.example.com/{$canonical_path|escape:'url'}">
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/header.tpl` at line 12, The canonical link tag in header.tpl is
missing the closing quote for the href attribute; update the <link
rel="canonical"...> line so the href value ends with a double quote after
{$canonical_path} (i.e., ensure the attribute reads
href="https://demoapp.example.com/{$canonical_path}"), preserving the existing
template variable and surrounding markup to restore valid HTML and prevent DOM
parsing errors.

</head>
<body class="page-{$page_class}">

<header class="site-header">
<a href="/" class="logo">{$site_name}</a>

<nav class="primary-nav">
<ul>
{foreach $nav_items as $item}
<li><a href="{$item.url}">{$item.label}</a></li>
{/foreach}
</ul>
</nav>

{if $cart_count}
<a href="/cart" class="cart-link">
Cart ({$cart_count})
</a>
{/if}

{if $logged_in}
<span class="user-greeting">Welcome, {$user_name}!</span>
{/if}
</header>

<main class="container">
54 changes: 54 additions & 0 deletions smartylint/product_detail.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{include file="header.tpl" page_title=$Product.name}

<article class="product-detail">
<div class="gallery">
{foreach $Product.images as $Image}
<img src="{$Image.url}" alt="{$Image.alt|@default:""}">
{/foreach}
</div>

<div class="info">
<h1>{$Product.name}</h1>
<p class="sku">SKU: {$Product.sku|@default:"n/a"}</p>
<p class="price">{$Product.price|string_format:"%.2f"}</p>

<div class="description">
{$Product.long_description}
</div>
Comment on lines +11 to +17
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "product_detail.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 109

🏁 Script executed:

cat -n ./smartylint/product_detail.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 2132

🏁 Script executed:

# Check for Smarty version or composer.json to understand version
find . -name "composer.json" -o -name "package.json" | head -5 | xargs cat 2>/dev/null | head -50

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check if there's a Smarty configuration or middleware that might handle escaping globally or CSRF
rg -l "escape|autoescape" --type-list | head -10
rg "autoescape|auto_literal" -i

Repository: coderabbitai/coderabbit-pr-review

Length of output: 467

🏁 Script executed:

# Search for CSRF token handling in the codebase
rg "csrf|token" -i --type-list | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 467

🏁 Script executed:

# Search for escaping and autoescape settings
rg "escape|autoescape" -i

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Search for CSRF token handling
rg "csrf|csrf_token" -i

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Look for Smarty configuration files
find . -name "*.php" -o -name "*.conf" | xargs grep -l "Smarty\|smarty" 2>/dev/null | head -10

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check root config/setup files
ls -la | grep -E "config|setup|smarty"

Repository: coderabbitai/coderabbit-pr-review

Length of output: 136

🏁 Script executed:

# List all files in repository
git ls-files

Repository: coderabbitai/coderabbit-pr-review

Length of output: 240

🏁 Script executed:

# Check for any Smarty security or escaping configuration
find . -type f -name "*.php" -o -name "*.tpl" -o -name "*.conf" | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 242

🏁 Script executed:

# Look at the header.tpl to see if there's any global escaping setup
cat ./smartylint/header.tpl 2>/dev/null

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1068

🏁 Script executed:

# Check for Smarty configuration or initialization
find . -name "*.php" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check README for context
cat README.md

Repository: coderabbitai/coderabbit-pr-review

Length of output: 99

🏁 Script executed:

# Look at other template files to see if they use escaping filters
cat ./smartylint/product_list.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1415

🏁 Script executed:

# Check for any escaping filters used anywhere in templates
rg "escape|e:|htmlspecialchars"

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Search for any autoescape or security configuration in all files
find . -type f \( -name "*.php" -o -name "*.conf" -o -name "*.yaml" -o -name "*.yml" \)

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

# Check if there are any escaping filters used in other templates
cat ./smartylint/checkout.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 2183

🏁 Script executed:

# Check email template as well
cat ./smartylint/email_order.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 872

Escape all dynamic content before rendering to prevent HTML/script injection.

Lines 11, 12, 16, 36, 37, 39, and 48 render unescaped user/product/review data. User-generated content like $Review.body and product names are particularly at risk. Add |escape or |htmlspecialchars filter to all dynamic outputs. Also replace deprecated @default modifier with @|default (Smarty 3+) or use {if} conditionals.

Additionally, the checkout form (line 20) is missing an explicit CSRF token field—verify framework middleware provides cross-site request forgery protection.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/product_detail.tpl` around lines 11 - 17, Escape all dynamic
template outputs and fix deprecated modifier usage: update occurrences of
{$Product.name}, {$Product.sku|@default:"n/a"},
{$Product.price|string_format:"%.2f"}, {$Product.long_description} and any
{$Review.body} or similar variables to use the Smarty escaping filter (e.g.,
|escape or |htmlspecialchars) and change the deprecated `@default` modifier to the
Smarty 3+ syntax (|default) or wrap with {if} checks; keep numeric formatting
(string_format) but pipe escape after formatting where appropriate. Also ensure
the checkout form includes an explicit CSRF token hidden field (or
verify/instrument framework CSRF middleware) so the form submission includes the
token for server-side validation.


{if $Product.in_stock}
<form action="/cart/add" method="post">
<input type="hidden" name="product_id" value="{$Product.id}">
<label>
Quantity:
<input type="number" name="qty" min="1" value="1">
</label>
<button type="submit">Add to cart</button>
</form>
Comment on lines +20 to +27
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 240

🏁 Script executed:

fd -t f "product_detail" --type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 107

🏁 Script executed:

fd -t f "cart" --type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

cat -n smartylint/product_detail.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 2132

🏁 Script executed:

cat -n smartylint/header.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1334

🏁 Script executed:

cat -n smartylint/footer.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1086

🏁 Script executed:

rg -i "csrf|token|xsrf" --type html --type tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 105

🏁 Script executed:

rg -i "csrf|token|xsrf" --max-count 50

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

fd -t f -e php -e py -e js -e go | head -30

Repository: coderabbitai/coderabbit-pr-review

Length of output: 59

🏁 Script executed:

rg "/cart/add" --max-count 20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 159

🏁 Script executed:

git ls-files

Repository: coderabbitai/coderabbit-pr-review

Length of output: 240

🏁 Script executed:

find . -type f -name "*.md" -o -name "*.txt" -o -name "*.json" -o -name "*.yaml" -o -name "*.yml" -o -name "*.xml" | head -20

Repository: coderabbitai/coderabbit-pr-review

Length of output: 89

🏁 Script executed:

cat README.md

Repository: coderabbitai/coderabbit-pr-review

Length of output: 99

Add CSRF token to the add-to-cart form.

The form at lines 20-27 performs a state-changing POST request to /cart/add without a CSRF token field. Include a CSRF token input (e.g., <input type="hidden" name="csrf_token" value="{$csrf_token}">) to protect against cross-site request forgery attacks.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/product_detail.tpl` around lines 20 - 27, The add-to-cart form
that posts to "/cart/add" is missing a CSRF token hidden input; update the form
(the <form action="/cart/add" ...> block that contains inputs product_id and qty
and the submit button) to include a hidden field named "csrf_token" with the
template variable value (e.g., {$csrf_token}) so the server can validate the
token on POST; ensure the hidden input appears inside the same form alongside
the existing product_id and qty inputs.

{/if}
</div>

<section class="reviews">
<h2>Customer reviews</h2>
{foreach $Reviews as $Review}
<article class="review">
<header>
<strong>{$Review.author_name}</strong>
<time>{$Review.created_at|@default:"recently"}</time>
</header>
<p>{$Review.body}</p>
</article>
{/foreach}
</section>

{if $RelatedProducts}
<aside class="related">
<h2>You may also like</h2>
{foreach $RelatedProducts as $Related}
<a href="/products/{$Related.slug}">{$Related.name}</a>
{/foreach}
</aside>
{/if}
</article>

{include file="footer.tpl"}
41 changes: 41 additions & 0 deletions smartylint/product_list.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{include file=header.tpl page_title="All Products"}

<section class="product-grid">
<h1>{$category_name}</h1>

<p class="result-count">
Showing {$result_count} results for "{$search_query}"
</p>
Comment on lines +4 to +8
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "product_list.tpl" -type f

Repository: coderabbitai/coderabbit-pr-review

Length of output: 107

🏁 Script executed:

cat -n ./smartylint/product_list.tpl

Repository: coderabbitai/coderabbit-pr-review

Length of output: 1702

🌐 Web query:

Smarty template engine escape filter security XSS protection

💡 Result:

The Smarty template engine provides the |escape modifier as its primary mechanism for XSS protection. This modifier encodes variables for safe output in various contexts, preventing cross-site scripting (XSS) attacks by escaping special characters like &, ", ', <, and >. Key features: - Default: |escape or |escape:'html' escapes HTML context (& " ' < >). - |escape:'htmlall' escapes all HTML entities. - Other formats: 'url' for URLs, 'quotes' for single quotes, 'javascript' for JS, 'mail' for email obfuscation, 'hex', 'hexentity'. - Charset support (default UTF-8) and double-encode option. Usage example: {$articleTitle|escape:'html'} // Outputs: 'Stiff Opposition...' Global auto-escaping: Set $smarty->escape_html = true to automatically apply htmlspecialchars (equivalent to |escape:'html') to all variables. Disable per-variable with {$var nofilter}. Smarty Security: Enable with $smarty->enableSecurity or $security = true for untrusted templates (e.g., user-edited). Restricts PHP tags, dangerous modifiers/tags, file access to $secure_dir, etc. Whitelists via $allowed_modifiers, $allowed_tags. Primarily prevents code injection/SSTI, complements output escaping for XSS. Past issues: XSS in JS escaping fixed in 3.1.48/4.3.1 (CVE-2023-28447). Use latest versions (copyright to 2026 indicates active maintenance). Best practice: Always apply |escape (context-appropriate) to user-controlled data in HTML/attributes/JS/etc. Combine with Security for high-risk templates. Validate/sanitize inputs upstream.

Citations:

Escape dynamic values in output and fix unquoted attribute value.

Multiple variables are output without escaping, creating XSS vulnerabilities. Most critically, line 25 has an unquoted data-name attribute value that can break markup and enable injection if the variable contains spaces or special characters.

Lines affected:

  • Line 4: {$category_name}
  • Line 7: {$search_query} and {$result_count}
  • Lines 13–18: {$product.id}, {$product.slug}, {$product.image_url}, {$product.name} (multiple occurrences), {$product.short_description}
  • Line 22: {$product.discount_label}
  • Line 25: {$product.id} and {$product.name} (latter is unquoted)

Apply Smarty's |escape filter to all user-controlled variables:

🔧 Example fix for the critical unquoted attribute 
-<button data-product="{$product.id}" data-name={$product.name}>
+<button data-product="{$product.id|escape}" data-name="{$product.name|escape}">
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/product_list.tpl` around lines 4 - 8, Escape all user-controlled
Smarty template variables and quote attribute values to prevent XSS and broken
markup: wrap occurrences of {$category_name}, {$result_count}, {$search_query},
all {$product.*} fields (e.g., {$product.id}, {$product.slug},
{$product.image_url}, {$product.name}, {$product.short_description},
{$product.discount_label}) with the Smarty |escape modifier (e.g.,
{$variable|escape}) and ensure the data-name attribute uses a quoted, escaped
value (e.g., data-name="{$product.name|escape}"); update every instance in
product_list.tpl where these variables are output (including in URLs,
attributes, and text nodes) so all dynamic output is escaped and attributes are
quoted.


{if $products}
<ul class="products">
{foreach $products as $product}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Close the products loop before ending the list

This {foreach $products as $product} is not followed by a matching {/foreach} before </ul>, which leaves Smarty block structure invalid. As a result, the product listing template will fail to compile/render whenever this page is requested.

Useful? React with 👍 / 👎.

<li class="product-card" data-id="{$product.id}">
<a href="/products/{$product.slug}">
<img src="{$product.image_url}" alt="{$product.name}">
<h2>{$product.name}</h2>
<p class="price">{$product.price|string_format:"%.2f"}</p>
<p class="description">{$product.short_description}</p>
</a>

{if $product.on_sale}
<span class="sale-badge">{$product.discount_label}</span>
{/if}

<button data-product="{$product.id}" data-name={$product.name}>
Add to cart
</button>
</li>
</ul>
Comment on lines +12 to +29
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Close the {foreach} block before </ul>.

Line 12 starts {foreach $products as $product} but the block is never closed, causing template parse failure.

🔧 Proposed fix 
             {foreach $products as $product}
                 <li class="product-card" data-id="{$product.id}">
                     ...
                 </li>
+            {/foreach}
         </ul>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{foreach $products as $product}
<li class="product-card" data-id="{$product.id}">
<a href="/products/{$product.slug}">
<img src="{$product.image_url}" alt="{$product.name}">
<h2>{$product.name}</h2>
<p class="price">{$product.price|string_format:"%.2f"}</p>
<p class="description">{$product.short_description}</p>
</a>
{if $product.on_sale}
<span class="sale-badge">{$product.discount_label}</span>
{/if}
<button data-product="{$product.id}" data-name={$product.name}>
Add to cart
</button>
</li>
</ul>
{foreach $products as $product}
<li class="product-card" data-id="{$product.id}">
<a href="/products/{$product.slug}">
<img src="{$product.image_url}" alt="{$product.name}">
<h2>{$product.name}</h2>
<p class="price">{$product.price|string_format:"%.2f"}</p>
<p class="description">{$product.short_description}</p>
</a>
{if $product.on_sale}
<span class="sale-badge">{$product.discount_label}</span>
{/if}
<button data-product="{$product.id}" data-name={$product.name}>
Add to cart
</button>
</li>
{/foreach}
</ul>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@smartylint/product_list.tpl` around lines 12 - 29, The template opens a
{foreach $products as $product} loop but never closes it, causing a parse error;
close the loop by inserting the matching {/foreach} before the closing </ul> so
the list of <li class="product-card"> elements is properly wrapped and the
conditional {if $product.on_sale} and button remain inside the loop.

{else}
<p>No products matched your filters.</p>
{/if}

<nav class="pagination">
{foreach $pages as $page}
<a href="?page={$page}">{$page}</a>
{/foreach}
</nav>
</section>

{include file="footer.tpl"}