While in the process of making sure that the web host integrity is maintained when using nBBS in multi mode, I realized that Smarty, beloved php templating engine, offers so many configuration options that it’s hard to tell what’s really secure and what isn’t. Here is how I have implemented our security model:

// BEGIN Template system
require "smarty/Smarty.class.php";
$TEMPLATE = new Smarty;
$TEMPLATE->force_compile = false; // true for development
$TEMPLATE->compile_check = true;
$TEMPLATE>debugging = false;
// $TEMPLATE->caching = true;
// Security
$TEMPLATE->php_handling = SMARTY_PHP_REMOVE; // default: do not allow php tags
$TEMPLATE->security = TRUE; // Pseudo-safe mode
$TEMPLATE->security_settings['MODIFIER_FUNCS'] = array('substr');
$TEMPLATE->trusted_dir = array(); // No trusted directory. Ever.
//
$TEMPLATE->register_outputfilter("template_postfilter");
// END Template system

Obviously, the section you should be concerned with is under ‘Security’.
Note that Smarty’s documentation is a bit confusing regarding allowing php words but in the end it boils down to this: there is an associative array, called ‘security_settings’, and its keys are:
PHP_HANDLING, which allows you to ignore the setting of $php_handling (!!!)
IF_FUNCS lists PHP functions allowed in an {if} statement
INCLUDE_ANY allows you to ignore $secure_dir but it seems to take $trusted_dir in account
PHP_TAGS, when true, allows {php} statements, unless mamed by $php_handling
and finally:
MODIFIER_FUNCS is an array of functions allowed when interpreting php…note that it also allows functions for {if} statements!

Oh, and ALLOW_CONSTANTS. No relevance here.

What a mess.