Cross-site scripting (XSS) vulnerability in the smartyfunctionhtmloptionsoptoutput function in distribution/libs/plugins/function.html_options.php in Smarty before 3.1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.