diff --git a/CHANGELOG.md b/CHANGELOG.md
index 069e70560..d06da7373 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Dropped deprecated $smarty->getVariable() method. Use $smarty->getTemplateVars() instead.
 - $smarty->registerResource() no longer accepts an array of callback functions
 
+## [3.1.40] - 2021-10-13
+
+### Changed
+- modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649
+
+### Security
+- More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov
+
+## [3.1.39] - 2021-02-17
+
+### Security
+- Prevent access to `$smarty.template_object` in sandbox mode. This addresses CVE-2021-26119.
+- Fixed code injection vulnerability by using illegal function names in `{function name='blah'}{/function}`. This addresses CVE-2021-26120.
+
 ## [3.1.38] - 2021-01-08
 
 ### Fixed
@@ -336,7 +350,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  20.09.2016
   - bugfix some $smarty special template variables are no longer accessed as real variable.
     using them on calls like {if isset($smarty.foo)} or {if empty($smarty.foo)} will fail
-    https://www.smarty.net/forums/viewtopic.php?t=26222
+    http://www.smarty.net/forums/viewtopic.php?t=26222
   - temporary fix for https://github.com/smarty-php/smarty/issues/293 main reason still under investigation
   - improvement new tags {block_parent} {block_child} in template inheritance
 
@@ -348,7 +362,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - bugfix assigning a variable in if condition by function like {if $value = array_shift($array)} the function got called twice https://github.com/smarty-php/smarty/issues/291
   - bugfix function plugins called with assign attribute like {foo assign='bar'} did not output returned content because
            because assumption was made that it was assigned to a variable https://github.com/smarty-php/smarty/issues/292
-  - bugfix calling $smarty->isCached() on a not existing cache file with $smarty->cache_locking = true; could cause a 10 second delay https://www.smarty.net/forums/viewtopic.php?t=26282
+  - bugfix calling $smarty->isCached() on a not existing cache file with $smarty->cache_locking = true; could cause a 10 second delay http://www.smarty.net/forums/viewtopic.php?t=26282
   - improvement make Smarty::clearCompiledTemplate() on custom resource independent from changes of templateId computation
 
  11.09.2016
diff --git a/README.md b/README.md
index 8d2bc0fa4..112b8f63c 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Smarty can be run with PHP 7.1 to PHP 8.0.
 
 > Read the NEW_FEATURES and INHERITANCE_RELEASE_NOTES file for recent extensions to Smarty 3.1 functionality
 
-Smarty versions 3.1.11 or later are now on github and can be installed with Composer.
+Smarty versions 3.1.11 or later are now on GitHub and can be installed with Composer.
 
 
 The "smarty/smarty" package will start at libs/....   subfolder.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..d98ea0189
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+Smarty currently supports the latest minor version of Smarty 3 and Smarty 4. (Smarty 4 has not been released yet.)
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 4.0.x   | :white_check_mark: |
+| 3.1.x   | :white_check_mark: |
+| < 3.1   | :x:                |
+
+## Reporting a Vulnerability
+
+ If you have discovered a security issue with Smarty, please contact us at mail [at] simonwisselink.nl. Do not 
+ disclose your findings publicly and PLEASE PLEASE do not file an Issue.
+ 
+We will try to confirm the vulnerability and develop a fix if appropriate. When we release the fix, we will publish 
+a security release. Please let us know if you want to be credited.
diff --git a/libs/Smarty.class.php b/libs/Smarty.class.php
index 59dd3bcac..294c1245d 100644
--- a/libs/Smarty.class.php
+++ b/libs/Smarty.class.php
@@ -98,7 +98,7 @@ class Smarty extends Smarty_Internal_TemplateBase
     /**
      * smarty version
      */
-    const SMARTY_VERSION = '3.1.38';
+    const SMARTY_VERSION = '3.1.40';
     /**
      * define variable scopes
      */
diff --git a/libs/plugins/modifier.escape.php b/libs/plugins/modifier.escape.php
index 0c0f74da7..47489aa98 100644
--- a/libs/plugins/modifier.escape.php
+++ b/libs/plugins/modifier.escape.php
@@ -181,7 +181,11 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
                     '"'  => '\\"',
                     "\r" => '\\r',
                     "\n" => '\\n',
-                    '</' => '<\/'
+                    '</' => '<\/',
+                    // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+                    '<!--' => '<\!--',
+                    '<s'   => '<\s',
+                    '<S'   => '<\S'
                 )
             );
         case 'mail':
@@ -247,6 +251,7 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
             }
             return $return;
         default:
+            trigger_error("escape: unsupported type: $esc_type - returning unmodified string", E_USER_NOTICE);
             return $string;
     }
 }
diff --git a/libs/plugins/modifiercompiler.escape.php b/libs/plugins/modifiercompiler.escape.php
index 30e2d28be..70b95cc9d 100644
--- a/libs/plugins/modifiercompiler.escape.php
+++ b/libs/plugins/modifiercompiler.escape.php
@@ -86,9 +86,10 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
                 return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';
             case 'javascript':
                 // escape quotes and backslashes, newlines, etc.
+                // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
                 return 'strtr(' .
                        $params[ 0 ] .
-                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/" ))';
+                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
         }
     } catch (SmartyException $e) {
         // pass through to regular plugin fallback
diff --git a/libs/sysplugins/smarty_internal_compile_function.php b/libs/sysplugins/smarty_internal_compile_function.php
index 6e408ca72..d0f2b0f4a 100644
--- a/libs/sysplugins/smarty_internal_compile_function.php
+++ b/libs/sysplugins/smarty_internal_compile_function.php
@@ -58,6 +58,11 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler)
         }
         unset($_attr[ 'nocache' ]);
         $_name = trim($_attr[ 'name' ], '\'"');
+
+        if (!preg_match('/^[a-zA-Z0-9_\x80-\xff]+$/', $_name)) {
+	        $compiler->trigger_template_error("Function name contains invalid characters: {$_name}", null, true);
+        }
+
         $compiler->parent_compiler->tpl_function[ $_name ] = array();
         $save = array(
             $_attr, $compiler->parser->current_buffer, $compiler->template->compiled->has_nocache_code,
diff --git a/libs/sysplugins/smarty_internal_compile_private_special_variable.php b/libs/sysplugins/smarty_internal_compile_private_special_variable.php
index de7d4a224..d53ef51ff 100644
--- a/libs/sysplugins/smarty_internal_compile_private_special_variable.php
+++ b/libs/sysplugins/smarty_internal_compile_private_special_variable.php
@@ -81,6 +81,10 @@ public function compile($args, Smarty_Internal_TemplateCompilerBase $compiler, $
                 case 'template':
                     return 'basename($_smarty_tpl->source->filepath)';
                 case 'template_object':
+                    if (isset($compiler->smarty->security_policy)) {
+                        $compiler->trigger_template_error("(secure mode) template_object not permitted");
+                        break;
+                    }
                     return '$_smarty_tpl';
                 case 'current_dir':
                     return 'dirname($_smarty_tpl->source->filepath)';
diff --git a/make-release.sh b/make-release.sh
index 8357ecf9f..b3a9df64b 100755
--- a/make-release.sh
+++ b/make-release.sh
@@ -14,6 +14,6 @@ git pull
 git merge --no-ff "release/$1"
 git branch -d "release/$1"
 git tag -a "v$1" -m "Release $1"
-git push --follow-tags
 
 printf 'Done creating release %s\n' "$1"
+printf 'Run `git push --follow-tags origin` to publish it.\n'
diff --git a/tests/UnitTests/CacheResourceTests/_shared/CacheResourceTestCommon.php b/tests/UnitTests/CacheResourceTests/_shared/CacheResourceTestCommon.php
index 971e4338c..92207d2ad 100644
--- a/tests/UnitTests/CacheResourceTests/_shared/CacheResourceTestCommon.php
+++ b/tests/UnitTests/CacheResourceTests/_shared/CacheResourceTestCommon.php
@@ -339,6 +339,10 @@ public function testClearCacheCacheFile()
         $this->assertNull($tpl->cached->handler->getCachedContent($tpl3));
         $this->assertEquals('hello world', $tpl->cached->handler->getCachedContent($tpl4));
     }
+
+    /**
+     * @group slow
+     */
    public function testClearCacheExpired()
     {
         $this->smarty->caching = true;
@@ -399,7 +403,7 @@ public function testClearCacheCacheFileSub()
      * @runInSeparateProcess
      * @preserveGlobalState disabled
      * @dataProvider data
-     *
+     * @group slow
      */
     public function testCache($lockTime, $lockTimeout, $compile_id, $cache_id, $isCached, $tmin, $tmax, $forceCompile, $forceCache, $update, $testNumber, $compileTestNumber, $renderTestNumber, $testName)
     {
diff --git a/tests/UnitTests/ResourceTests/Extends/ExtendsResourceTest.php b/tests/UnitTests/ResourceTests/Extends/ExtendsResourceTest.php
index 3a5bcfe33..e5d8a718d 100644
--- a/tests/UnitTests/ResourceTests/Extends/ExtendsResourceTest.php
+++ b/tests/UnitTests/ResourceTests/Extends/ExtendsResourceTest.php
@@ -125,7 +125,7 @@ public function testCompileBlockGrandChildMustCompile_021_12()
      * test  grandchild/child/parent dependency test2
      * @runInSeparateProcess
      * @preserveGlobalState disabled
-     *
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_2()
     {
@@ -193,7 +193,7 @@ public function testCompileBlockGrandChildMustCompile_021_32()
      * test  grandchild/child/parent dependency test4
      * @runInSeparateProcess
      * @preserveGlobalState disabled
-     *
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_4()
     {
diff --git a/tests/UnitTests/SecurityTests/SecurityTest.php b/tests/UnitTests/SecurityTests/SecurityTest.php
index dac8c81c4..72bb3cdc0 100644
--- a/tests/UnitTests/SecurityTests/SecurityTest.php
+++ b/tests/UnitTests/SecurityTests/SecurityTest.php
@@ -341,6 +341,15 @@ public function testNotTrustedUri()
         $this->smarty->security_policy->trusted_uri = array();
         $this->assertStringContainsString('<title>Preface | Smarty</title>', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}'));
     }
+
+    /**
+     * In security mode, accessing $smarty.template_object should be illegal.
+     * @expectedException SmartyCompilerException
+     */
+    public function testSmartyTemplateObject() {
+        $this->smarty->display('string:{$smarty.template_object}');
+    }
+
 }
 
 class mysecuritystaticclass
diff --git a/tests/UnitTests/TemplateSource/TagTests/BockExtend/CompileBlockExtendsTest.php b/tests/UnitTests/TemplateSource/TagTests/BockExtend/CompileBlockExtendsTest.php
index fa736f316..84eaf92ae 100644
--- a/tests/UnitTests/TemplateSource/TagTests/BockExtend/CompileBlockExtendsTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/BockExtend/CompileBlockExtendsTest.php
@@ -610,7 +610,7 @@ public function testCompileBlockGrandChildMustCompile_021_12()
      *
      * @runInSeparateProcess
      * @preserveGlobalState disabled
-     *
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_2()
     {
@@ -645,7 +645,7 @@ public function testCompileBlockGrandChildMustCompile_021_2()
      *
      * @runInSeparateProcess
      * @preserveGlobalState disabled
-     *
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_3()
     {
@@ -670,7 +670,7 @@ public function testCompileBlockGrandChildMustCompile_021_3()
      *
      * @runInSeparateProcess
      * @preserveGlobalState disabled
-     *
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_32()
     {
@@ -692,6 +692,7 @@ public function testCompileBlockGrandChildMustCompile_021_32()
      *
      * @runInSeparateProcess
      * @preserveGlobalState disabled
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_4()
     {
@@ -716,6 +717,7 @@ public function testCompileBlockGrandChildMustCompile_021_4()
      *
      * @runInSeparateProcess
      * @preserveGlobalState disabled
+     * @group slow
      */
     public function testCompileBlockGrandChildMustCompile_021_42()
     {
diff --git a/tests/UnitTests/TemplateSource/TagTests/Insert/CompileInsertTest.php b/tests/UnitTests/TemplateSource/TagTests/Insert/CompileInsertTest.php
index aa9ba3478..6e608df9d 100644
--- a/tests/UnitTests/TemplateSource/TagTests/Insert/CompileInsertTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/Insert/CompileInsertTest.php
@@ -210,6 +210,7 @@ public function testInsertPluginCaching3_1()
      * test insert plugin caching 2
      * @runInSeparateProcess
      * @preserveGlobalState disabled
+     * @group slow
      */
     public function testInsertPluginCaching3_2()
     {
diff --git a/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php b/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php
index a174f5a0b..ca3e37141 100644
--- a/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php
+++ b/tests/UnitTests/TemplateSource/TagTests/TemplateFunction/CompileFunctionTest.php
@@ -431,5 +431,14 @@ public function dataTestSpacing()
                      array("{function name=simple}A{\$foo}\nC{/function}{call name='simple'}", "Abar\nC", 'T14', $i++),
                      array("{function name=simple}A\n{\$foo}\nC{/function}{call name='simple'}", "A\nbar\nC", 'T15', $i++),
         );
-            }
+    }
+
+    /**
+     * Test handling of function names that are a security risk
+     * @expectedException        SmartyCompilerException
+     */
+    public function testIllegalFunctionName() {
+	    $this->smarty->fetch('string:{function name=\'rce(){};echo "hi";function \'}{/function}');
+    }
+
 }
diff --git a/tests/UnitTests/TemplateSource/ValueTests/SmartySpecialVars/Now/SmartyNowTest.php b/tests/UnitTests/TemplateSource/ValueTests/SmartySpecialVars/Now/SmartyNowTest.php
index 64a07f6ca..ed7d6b35f 100644
--- a/tests/UnitTests/TemplateSource/ValueTests/SmartySpecialVars/Now/SmartyNowTest.php
+++ b/tests/UnitTests/TemplateSource/ValueTests/SmartySpecialVars/Now/SmartyNowTest.php
@@ -35,7 +35,7 @@ public function testSmartyNow() {
     }
     /**
      * test {$smarty.now nocache}
-     *
+     * @group slow
      */
     public function testSmartyNowNocache() {
         $this->smarty->setCaching(true);