[PHPTAL] Phptal and security
Han
phptal at safeblue.com
Wed May 10 01:01:24 CEST 2006
Hello:
Is there any way to execute an arbitrary php function in phptal other
php: tag?
We are planning to use phptal as the page processor in a wiki package we
are developing. The users (open to general public) will be able to post
html pages with javascript and phptal. They wont be able to modify php
part but they will be able to modify the presentation anyway they want.
Since this is substantially richer than other wiki packages (e.g.,
mediawiki) where the user is only allowed a subset of html, we are
worried that there might be a major security hole that we are missing.
Does this fear has any foundation? We would hate to switch to client
side xslt just for security.
Thanks
-Han
More information about the PHPTAL
mailing list