Daily Archives: July 12, 2005

Security Checking PHP Templates

WordPress uses PHP as it’s templating language. It’s well established and as I’ve said before, there’s an abundance of free themes out there for it.
Unfortunately in a multi-user environment, allowing untrusted users to edit PHP code on your server is a huge security risk. There has to be some way to limit the commands a user can use, and there is!
PHP already parses html pages, so why not take advantage of that engine? The PHP Tokenizer lets you do just that!
Feed your template through token_get_all() and it’ll spit out an array containing HTML, PHP, and other elements from your file.
Here’s an if statement that should be familiar:

T_OPEN_TAG: '<?php '
T_IF: 'if'
T_WHITESPACE: ' '
(
T_STRING: 'have_posts'
(
)
)

We then need to compile a list of allowed functions, which can be got from wp-includes/* and we’re well on the way to a safe environment for WP bloggers. Any more ideas?