diff --git a/phpBB/includes/functions_template.php b/phpBB/includes/functions_template.php index 55cb9b1e1a..ac15244687 100644 --- a/phpBB/includes/functions_template.php +++ b/phpBB/includes/functions_template.php @@ -68,6 +68,56 @@ class template_compile $this->compile_write($handle, $this->template->compiled_code[$handle]); } + /** + * Straight-forward strategy: use PHP's tokenizer to escape everything that + * looks like a PHP tag. + * + * We open/close PHP tags at the beginning of the template to clearly indicate + * that we are in HTML mode. If we find a PHP tag, we escape it then we reiterate + * over the whole file. That can become quite slow if the file is stuffed with + * ' . $code); + $code = ''; + $php_found = false; + + foreach ($tokens as $i => $token) + { + if (!is_array($token)) + { + $code .= $token; + } + else if ($token[0] == T_OPEN_TAG || $token[0] == T_OPEN_TAG_WITH_ECHO || $token[0] == T_CLOSE_TAG) + { + if ($i > 1) + { + $code .= htmlspecialchars($token[1]); + $php_found = true; + } + } + else + { + $code .= $token[1]; + } + } + unset($tokens); + + // Fix for a tokenizer oddity + if (!strncmp($code, ' - $match_php_tags = array('#\<\?php .*?\?\>#is', '#\#is', '#\<\?.*?\?\>#s', '#\<%.*?%\>#s'); $code = preg_replace($match_php_tags, '', $code); + // An alternative to the above would be calling this function which would be the ultimate solution but also has it's drawbacks. + // At the moment it is commented out until we decide which method to use. +// $this->remove_php_tags($code); + // Pull out all block/statement level elements and seperate plain text preg_match_all('#(.*?)#s', $code, $matches); $php_blocks = $matches[1];