Plugin includes PHP tags in its output

  • DavidH64

    (@davidh64)


    2 months, 2 weeks ago

    This extension includes PHP tags/code in its backend output. The culprit is the file under nextgen-gallery/templates/AttachToPost/tinymce_placeholder.php:

    <?php
    /**
     * Template file
     */

    ?>
    <?php // phpcs:disable PHPCompatibility.Miscellaneous.RemovedAlternativePHPTags.MaybeASPOpenTagFound,Generic.PHP.DisallowAlternativePHPTags.MaybeASPOpenTagFound ?>
    <script type="text/underscore-template" id="ngg-igw-placeholder">
            <div class="mceItem mceNonEditable nggPlaceholder"
                    id="<%- ref %>"
                    data-shortcode="<%- shortcode %>"
                    data-mce-resize="false"
                    data-mce-placeholder="1"
                    contenteditable="false">
                    <h3><%- nextgen_gallery %></h3>
                    <div class="nggPlaceholderButton nggIgwEdit">
                            <%- edit %>
                    </div>
                    <div class="nggPlaceholderButton nggIgwRemove">
                            <%- remove %>
                    </div>
            </div>
    </script>
    <?php // phpcs:enable PHPCompatibility.Miscellaneous.RemovedAlternativePHPTags.MaybeASPOpenTagFound,Generic.PHP.DisallowAlternativePHPTags.MaybeASPOpenTagFound ?>

    This code is included as is in the /wp-admin/ backend, for example when accessing the comments (/wp-admin/edit-comments.php). While this in itself isn’t a security risk, PHP tags or code must not be included in the HTML output. In my case, this issue triggers my WAF (web application firewall) which tries to block any responses that contain PHP code.
    The inclusion likely happens in nextgen-gallery/src/IGW/ATPManager.php:

            /**
             * Renders the underscore template used by TinyMCE for IGW placeholders
             */
            public function print_tinymce_placeholder_template() {
                    $view     = new View( 'AttachToPost/tinymce_placeholder', [], 'photocrati-attach_to_post#tinymce_placeholder' );
                    $template = $view->find_template_abspath( 'AttachToPost/tinymce_placeholder', 'photocrati-attach_to_post#tinymce_placeholder' );
                    readfile( $template ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_readfile
            }

    Two suggestion on how to solve this:

    • Remove <?php ... ?> tags from tinymce_placeholder.php altogether and make it an HTML file instead
    • Parse the php file and only output the HTML portion
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Mihai

    (@mceban)

    1 month ago

    Hi @davidh64 ,

    Sorry for the late reply and thank you for the detailed report.

    I’ve created an issue report for our development team and they’ll look into solving it in one of the next plugin updates.

    In the meantime, if your WAF allows path-based or response-body exclusions, consider adding a rule to exempt the WP admin (/wp-admin/) from that specific PHP-code-in-response check as a temporary workaround, keeping in mind this might not align with your security policy.

    Best regards,

    Thread Starter DavidH64

    (@davidh64)

    3 days, 23 hours ago

    @mceban any update on this? the most recent releases still contain this php code in its output….

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Tags