On 06-08-2009 at 22:53:22 Ionut Matei <johnu...@gmail.com> wrote:

If a template contains php code, it gets into the compiled template and will be executed...

I think a pre-filter can be created for stripping php code, but Is there a feature or setting in PHPTAL for preventing executing php code placed inside php tags (e.g. like
*$php_handling*<http://www.smarty.net/manual/en/variable.php.handling.php>in
smarty)?

Currently there isn't such option. PHPTAL has been designed with assumption that template authors can be trusted.

With few small changes you can disable <?php ?> blocks in templates and php: prefix, but I cannot guarantee that there are no other ways to execute arbitrary PHP in PHPTAL.

--
regards, Kornel

_______________________________________________
PHPTAL mailing list
PHPTAL@lists.motion-twin.com
http://lists.motion-twin.com/mailman/listinfo/phptal

Reply via email to