Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Volt disable use of <?php ?>

Is there anyway to disable the use of "php" tags inside volt? I would like users to edit volt files, but to prevent them for injecting custom code into the file.. How would I achive this?

$di->set('view', function () {

            $view = new View();

            $view->setViewsDir('../../themes/default/production/v1.0.0/');

            $view->registerEngines([
                '.volt' => function ($view) {

                    $volt = new VoltEngine($view, $this);

                    $volt->setOptions([
                        'compiledPath' => '../../themes/default/production/v1.0.0/cache/',
                        'compiledSeparator' => '_',
                        'compileAlways' => true
                    ]);

                    $compiler = $volt->getCompiler();

                    $compiler->addExtension(
                        new PhpFunctionExtension()
                    );

                    return $volt;
                }
            ]);

            return $view;
        }, true);


114.4k
Accepted
answer
edited Mar '20

This was asked last January: https://forum.phalcon.io/discussion/19179/i-want-to-disable-the-php-syntax.

My suggestion now is the same as then: Write a class that extends VoltEngine and write a custom render() wrapper that looks for <?php & ?> tags. How you react when those tags are found - stripping them or throwing an error or something else - is up to you.



1.7k

Thanks for your reply.

I think i will go with Twig instead.