Text is evaluated as code.

cretz / dust-php

Powerful PHP templating engine based off of Dust JS

http://cretz.github.com/dust-php

MIT License

67 stars 19 forks source link

Text is evaluated as code. #11

Open traviswimer opened 8 years ago

traviswimer commented 8 years ago

I happened to use the word "join" in some text that I was passing to renderTemplate(). This resulted in the following error:

Warning: join(): Invalid arguments passed in /path/to/vendor/dust-php/dust-php/src/Dust/Evaluate/Evaluator.php on line 342

This seems like it is probably a very bad security vulnerability.

Is anyone still maintaining this project?

cretz commented 8 years ago

To be honest, I am not maintaining this project. I used it as an example to try out my new kinda-language transpiler to PHP. Having said that I think Dust fits perfectly and would definitely like to see it rebuilt in PHP proper and maintained.