views:

231

answers:

5

Kohana and Codeigniter both have encode_php_tags(). I understand XSS cleaning (for Javascript), but when and why would you use encode_php_tags()? What is the security threat?

A: 

Why they've listed this as a security-related function I couldn't tell you, but this pretty much just replaces the < and > in the PHP tags with their encoded forms, thus disallowing the actual PHP code between the tags to be parsed. Purely a visual thing, but there you have it...

Hexagon Theory
Would you consider htmlspecialchars() or mysqli_real_escape_string() to be purely visual things?
Calvin
+4  A: 

A smart fellow on the #kohana forum suggested that it is there because Expression Engine uses eval() for templates. If someone were to embed PHP in a string it is possible it would be eval()'d and executed. Since Kohana does not use eval() for templates it is possible that it is just left over from Codeigniter days.

pifantastic
+1  A: 

If your application allows user input to be written as a file of some kind. You should prevent the user from entering PHP code that could then be executed on your server.

encode_php_tags() prevents this.

Ólafur Waage
+2  A: 

This ensures that any PHP code in user input will not be executed if, for example, the application writes the input to a file or passes it to eval(). Or if you just want to write out some PHP code to show the browser.

Mike Ivanov
+1  A: 

the usage point is clear, your website users have not to write php codes in your forms. if you're using other XSS preventing methods provided for CI or kohana there's no necessity to use this.

Leszek Laszka