On 06-08-2009 at 22:53:22 Ionut Matei <johnu...@gmail.com> wrote:

If a template contains php code, it gets into the compiled template and will be executed...

I think a pre-filter can be created for stripping php code, but Is there a feature or setting in PHPTAL for preventing executing php code placed inside php tags (e.g. like

Currently there isn't such option. PHPTAL has been designed with assumption that template authors can be trusted.

With few small changes you can disable <?php ?> blocks in templates and php: prefix, but I cannot guarantee that there are no other ways to execute arbitrary PHP in PHPTAL.

regards, Kornel

PHPTAL mailing list

Reply via email to