PHPTAL is pretty security conscious as far as a template engine concerns go.
It does automatic output escaping unless you use the 'structure' modifier in
tales expressions, which is more than most other templating engines.

The only point I'm aware of where PHPTAL increases the security risk is with
the default location for compiled templates. It'll put them on the temporary
folder (/tmp on unix like systems), since that folder is 'world writable',
means that any user on the server can put a file in there which matches the
filename generated for a template and which would be included/executed by
PHPTAL instead of the proper generated template. There are methods though in
PHPTAL to change the location of the compiled templates directory so it can
be easily secured.

As for people being able to inject JS code, I guess they mean that a
commenter can put JS in a comment. However, in that case, the responsability
for cleaning any XSS or any other form of script injection is the "input
filter" which has nothing to do with a template engine, it's a completely
diferent sub-system and if WP relies on 'output escaping' to do that job
that seems a really smelly design.

If you can give us a log of the conversations with the WP community where
they suggest that PHPTAL can be a security breack, it'd be easier to
understand what is their concern.


On Fri, Jan 9, 2009 at 12:46 AM, Alister Cameron <> wrote:

> Folks,
> As per my last emails, I have been working on a WordPress theme that
> amounts to a rather radical departure for WordPress, in terms of
> implementing a templating engine.
> The response, in part, is to suggest that it is a security breach and that
> there's nothing to stop people injecting JS and what not...
> Now, I can't see why anyone would think that, and I'll deal with those
> objections, but are there any guidelines or issues to consider with PHPTAL
> in terms of security?
> Very general question, I know, but I'm just looking for a little guidance,
> in case there are some right and wrong ways to do things here...
> Cheers,
> -Alister
> ---
> Alister Cameron // Blogologist
> Mob. 04 0404 5555
> Fax 03 8610 0050
> Click here to find me online:
> _______________________________________________
> PHPTAL mailing list
PHPTAL mailing list

Reply via email to